suggestion for locating master kdc logic

Greg Hudson ghudson at MIT.EDU
Thu Apr 5 23:25:05 EDT 2012

On 04/05/2012 07:53 PM, Will Fiveash wrote:
> Anyone have a problem if I modify the MIT krb code so that if a
> master_kdc spec is not found to then look for admin_server and if that
> isn't found also look for kpasswd_server?  This change would affect
> dns_locate_server() and prof_locate_server().

I'm always a little nervous about reversing previous design decisions
that I don't completely understand.  I can find a little bit of design
rationale in ticket #1692, which says:

    Currently the admin_server tag is overloaded for kadmin and
    password changing.  So, don't use it as a filter on the KDC list;
    instead, look for master_kdc as an independent list.

I'm not quite sure what Ken had in mind here.  I can speculate that he
was concerned about environments where the kadmin or kpasswd server host
doesn't run a KDC, in which case trying to contact it would result in an
unwelcome timeout.

More information about the krbdev mailing list