issue with MIT KDC and LDAP DS

Simo Sorce ssorce at
Sat May 23 10:12:03 EDT 2009

On Fri, 2009-05-22 at 20:31 -0400, Jeffrey Hutzelman wrote:
> --On Friday, May 22, 2009 08:12:38 PM -0400 Ken Raeburn <raeburn at MIT.EDU> 
> wrote:
> > It is a backwards-incompatible protocol change (if you consider "stop
> > sending queries after any response" to be part of the original protocol),
> > but it's already deployed, some time ago.
> I don't, particularly, but the original protocol didn't provide any way to 
> signal to a client that it should try another KDC, and dropping the request 
> on the floor works.

Maybe an option in kdc.conf can be offered for backwards compatibility
with old clients, if an organization still have such ancient code
around, and let modern clients get a better reply.


Simo Sorce * Red Hat, Inc * New York

More information about the krbdev mailing list