Discussion of krb5_get_init_creds_password() behavior wasRe:problem with the kinit_prompter in kfw 2.5

Ken Hornstein kenh at cmf.nrl.navy.mil
Fri Feb 20 11:17:38 EST 2004

>    Jeffrey> Now the discussion is on the topic of double queries
>    Jeffrey> being sent to the "master" kdc when the password does not
>    Jeffrey> match the one known by the first kdc tried.
>Right.  ANd I don't see that as problematic since you have to go out
>of your way to enable the functionality.

But wait a minute.

According to what I see in 1.3.1, when use_master is set, it uses the
krb5.conf entry for "admin_server" (it takes a while to find it, but
that's certainly how I read krb5_locate_srv_conf_1()).  I think we _all_
have an admin_server set; if we don't, then kadmin & kpasswd won't
work.  That means that a "standard" configuration will result in a double
query even if the first KDC queried is the master.


More information about the krbdev mailing list