suggestion for locating master kdc logic
Russ Allbery
rra at stanford.edu
Fri Apr 6 16:09:12 EDT 2012
Will Fiveash <will.fiveash at oracle.com> writes:
> Certainly for Solaris, we have not documented master_kdc so I'm pretty
> sure most if not all krb configs on those systems are not benefiting
> from the fall back to master_kdc when getting a krb err.
Not only do you lose fallback in this case, but you also don't get
password change on expired password, unless you patched the code to not
require master_kdc in that case as well.
I added the following to the man page of my pam-krb5 module because of
that:
If you are using MIT Kerberos, be aware that users whose passwords
are expired will not be prompted to change their password unless
the KDC configuration for your realm in [realms] in krb5.conf
contains a master_kdc setting or, if using DNS SRV records, you
have a DNS entry for _kerberos-master as well as _kerberos.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list