suggestion for locating master kdc logic

Will Fiveash will.fiveash at oracle.com
Tue Apr 3 20:39:45 EDT 2012 

On Tue, Apr 03, 2012 at 06:14:11PM -0500, Will Fiveash wrote:
> Looking at the code for krb5_get_init_creds_password() and
> prof_locate_server() I see that if the KDC specified by a "kdc =" spec
> in krb5.conf returns a krb error, the acquire krb cred logic is to look
> for a master_kdc spec either in krb5.conf or via DNS and if one isn't
> found, give up.  Given that the admin_server/kpasswd_server specs are
> very likely to reference a master KDC, shouldn't the *_locate_server()
> functions when given a locate_service type of locate_service_master_kdc
> try to first find master_kdc (current behavior) and if that fails then
> admin_server and finally kpasswd_server?  I can't imagine why master_kdc
> would point to a different KDC than the one the admin_server is set to.

Thinking more, I realize that performance may be a reason not to fall
back to trying admin_server if master_kdc isn't found however if the
logic could determine that the admin_server pointed to a KDC that
differed from the previous KDC that returned a krb error then this would
at least avoid a redundant attempt to acquire a krb cred.  Are there
cases where it is desired to only try one KDC when attempting to acquire
a krb cred and not fall back to trying the master KDC as specified by
either master_kdc, admind_server or kpasswd_server?

I also wonder how many people understand how the current behavior in
regards to the various KDC parameters and their effect on kinit, kadmin
and kpasswd commands.  Take this realm example:

FOO.COM = {
    kdc = kdc1.foo.com
    kdc = kdc2.foo.com
    master_kdc = kdc3.foo.com
    admin_server = kdc3.foo.com
    kpasswd_server = kdc3.foo.com
}

If one tries to acquire a cred for a princ that is only on kdc3, the
logic is to first try kdc1 and if that returns a krb error like princ
not found then try kdc3.  If kdc1 doesn't answer then kdc2 will be
tried.  If neither of those KDCs respond the logic is to stop trying
(master_kdc kdc3 is not tried).  If however either kdc1 or kdc2 respond
with a krb error, kdc3 will be tried.

For the kadmin command the admin_server will be tried first and if that
doesn't respond the kpasswd_server will be tried.  For kpasswd the order
is reversed.  Both utilities ignore the master_kdc parameter.

-- 
Will Fiveash
Oracle Solaris Software Engineer
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>

More information about the krbdev mailing list