suggestion for locating master kdc logic

[Will Fiveash]

On Tue, Apr 03, 2012 at 07:39:45PM -0500, Will Fiveash wrote:
> On Tue, Apr 03, 2012 at 06:14:11PM -0500, Will Fiveash wrote:
> > Looking at the code for krb5_get_init_creds_password() and
> > prof_locate_server() I see that if the KDC specified by a "kdc =" spec
> > in krb5.conf returns a krb error, the acquire krb cred logic is to look
> > for a master_kdc spec either in krb5.conf or via DNS and if one isn't
> > found, give up.  Given that the admin_server/kpasswd_server specs are
> > very likely to reference a master KDC, shouldn't the *_locate_server()
> > functions when given a locate_service type of locate_service_master_kdc
> > try to first find master_kdc (current behavior) and if that fails then
> > admin_server and finally kpasswd_server?  I can't imagine why master_kdc
> > would point to a different KDC than the one the admin_server is set to.
> 
> Thinking more, I realize that performance may be a reason not to fall
> back to trying admin_server if master_kdc isn't found however if the
> logic could determine that the admin_server pointed to a KDC that
> differed from the previous KDC that returned a krb error then this would
> at least avoid a redundant attempt to acquire a krb cred.  Are there
> cases where it is desired to only try one KDC when attempting to acquire
> a krb cred and not fall back to trying the master KDC as specified by
> either master_kdc, admind_server or kpasswd_server?

Anyone have a problem if I modify the MIT krb code so that if a
master_kdc spec is not found to then look for admin_server and if that
isn't found also look for kpasswd_server?  This change would affect
dns_locate_server() and prof_locate_server().

-- 
Will Fiveash
Oracle Solaris Software Engineer
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>