suggestion for locating master kdc logic
Greg Hudson
ghudson at MIT.EDU
Thu Apr 5 23:25:05 EDT 2012
On 04/05/2012 07:53 PM, Will Fiveash wrote:
> Anyone have a problem if I modify the MIT krb code so that if a
> master_kdc spec is not found to then look for admin_server and if that
> isn't found also look for kpasswd_server? This change would affect
> dns_locate_server() and prof_locate_server().
I'm always a little nervous about reversing previous design decisions
that I don't completely understand. I can find a little bit of design
rationale in ticket #1692, which says:
Currently the admin_server tag is overloaded for kadmin and
password changing. So, don't use it as a filter on the KDC list;
instead, look for master_kdc as an independent list.
I'm not quite sure what Ken had in mind here. I can speculate that he
was concerned about environments where the kadmin or kpasswd server host
doesn't run a KDC, in which case trying to contact it would result in an
unwelcome timeout.
More information about the krbdev
mailing list