master_kdc is now required?

Sam Hartman hartmans at MIT.EDU
Thu Aug 21 14:25:51 EDT 2003

The change in 1692 was explicitly to avoid doing the master_kdc lookup
unless it was enable by the user.  The problem is that some KDCs will
have an account lockout count and trying the master KDC double
decremented this counter.

So you should either include the patch from 1721 or a krby.conf with
master_kdc.  Or include the _kerberos_master SRV record in DNS.

Anyway, yes KFW 2.5 does not quite correspond to 1.3.1 or to the
eventual 1.3.2 release.  That's kind of unusual for KFW; past KFW
releases have tended to correspond exactly to a krb5 release.  In the
case of KFM, including extra changes not yet in a core release is more


More information about the krbdev mailing list