suggestion for locating master kdc logic
rra at stanford.edu
Fri Apr 6 16:09:12 EDT 2012
Will Fiveash <will.fiveash at oracle.com> writes:
> Certainly for Solaris, we have not documented master_kdc so I'm pretty
> sure most if not all krb configs on those systems are not benefiting
> from the fall back to master_kdc when getting a krb err.
Not only do you lose fallback in this case, but you also don't get
password change on expired password, unless you patched the code to not
require master_kdc in that case as well.
I added the following to the man page of my pam-krb5 module because of
If you are using MIT Kerberos, be aware that users whose passwords
are expired will not be prompted to change their password unless
the KDC configuration for your realm in [realms] in krb5.conf
contains a master_kdc setting or, if using DNS SRV records, you
have a DNS entry for _kerberos-master as well as _kerberos.
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev