Ticket 5338: Race conditions in key rotation

Jeffrey Altman jaltman at secure-endpoints.com
Wed Jun 25 15:49:28 EDT 2008

Jeffrey Hutzelman wrote:
> Now, this will still be a fixed-master system, so the kadmin service will
> have to be advertised with the master's real name and address.  If the
> master goes down, then kadmin, password-changing, and other services that
> require modifying the database will be unavailable.  However, most clients
> will not notice because their requests will be routed to another KDC.
Note that admin_server and master_kdc in MIT kerberos are independent 
admin_server is the list of machines that provide administrative and 
password change services.
master_kdc is the list of servers that are authoritative.  They do not 
have to be the same
and in a multi-master world, it is possible that either all or none of 
the KDCs could be in
the master_kdc list.
> Until you introduce this change, which causes clients to try the
> advertised master for every KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN they get
> during aklog.  Now, instead of logins happening as quickly as if there
> were no server down, they happen as slowly as if we didn't have the
> anycast pool to begin with.
This is not true.  The delay when a server is down is the timeout 
waiting for any response
not the time necessary to get KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN and retry.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20080625/984de3d1/attachment.bin

More information about the krbdev mailing list