Discussion of krb5_get_init_creds_password() behavior wasRe:problem with the kinit_prompter in kfw 2.5

Sam Hartman hartmans at MIT.EDU
Mon Feb 23 14:24:46 EST 2004

>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:

    Nicolas> On Mon, Feb 23, 2004 at 12:49:39PM -0500, Ken Hornstein
    Nicolas> wrote:
    >> Okay, so given that virtually everybody has configured their
    >> site to have an admin_server, and thus everyone has the "double
    >> query to the master KDC" problem ... what's the best solution?
    >> Use Jeff's suggestion and turn use_master into an int * ?

    Nicolas> I like Jeff's suggestion.

I don't understand why that is necessary.  It seems that the calling
code can trap the appropriate errors and not call the KDC a second

There aren't really that many errors that guarantee you shouldn't
contact the master KDC.

Ken's not going to like the following comments very much.  If you have
an admin_server line, that pretty much means you have an MIT KDC or
have things misconfigured.  If you don't have a MIT KDC we recommend
replacing the admin_server line with a kpasswd_server line.

MIT does not support any mode where the KDC saves state across
requests or where generating multiple requests is a problem.  When we
considered this issue for 1.3 we explicitly considered the writable
KDC DB mode and came to the conclusion that we'de always described
that code path as a use at your own risk code path.  This is one of
the risks you get for using that code.

Long term the whole use_master cruft should go away.  Long term KDCs
should stay in better sync.

If people have specific conditions under which they believe it is
wrong to contact the master, we can do that.  One condition we believe
is important to contact the master under is password incorrect.


More information about the krbdev mailing list