suggestion for locating master kdc logic

Russ Allbery rra at
Fri Apr 6 16:09:12 EDT 2012

Will Fiveash <will.fiveash at> writes:

> Certainly for Solaris, we have not documented master_kdc so I'm pretty
> sure most if not all krb configs on those systems are not benefiting
> from the fall back to master_kdc when getting a krb err.

Not only do you lose fallback in this case, but you also don't get
password change on expired password, unless you patched the code to not
require master_kdc in that case as well.

I added the following to the man page of my pam-krb5 module because of

       If you are using MIT Kerberos, be aware that users whose passwords
       are expired will not be prompted to change their password unless
       the KDC configuration for your realm in [realms] in krb5.conf
       contains a master_kdc setting or, if using DNS SRV records, you
       have a DNS entry for _kerberos-master as well as _kerberos.

Russ Allbery (rra at             <>

More information about the krbdev mailing list