Discussion of krb5_get_init_creds_password() behavior wasRe:problem with the kinit_prompter in kfw 2.5
Ken Hornstein
kenh at cmf.nrl.navy.mil
Fri Feb 20 11:17:38 EST 2004
> Jeffrey> Now the discussion is on the topic of double queries
> Jeffrey> being sent to the "master" kdc when the password does not
> Jeffrey> match the one known by the first kdc tried.
>
>Right. ANd I don't see that as problematic since you have to go out
>of your way to enable the functionality.
But wait a minute.
According to what I see in 1.3.1, when use_master is set, it uses the
krb5.conf entry for "admin_server" (it takes a while to find it, but
that's certainly how I read krb5_locate_srv_conf_1()). I think we _all_
have an admin_server set; if we don't, then kadmin & kpasswd won't
work. That means that a "standard" configuration will result in a double
query even if the first KDC queried is the master.
--Ken
More information about the krbdev
mailing list