Discussion of krb5_get_init_creds_password() behavior was Re:problem with the kinit_prompter in kfw 2.5

[Ken Hornstein]

>OK.  It's here.  And I still don't think the logic of
>krb5_get_init_creds_password() is correct...

I completely agree with you, FWIW.  That whole mess causes me no end of
pain (for different reasons, though).

>> >Ugly as it is, I think the only way to make this really work
>> >properly is for krb5_get_init_creds() to return an indication
>> >as to whether or not the reply it is returning came from the
>> >master kdc and if so, skip the 2nd call (with use_master = 1).

This seems reasonable to me.

>OK, actually, the right fix would be for the KDCs to use
>a proper replicated DB so you always get the same answer
>no matter which KDC responds.  But, I'm not holding my breath.

No argument here :-/

--Ken