suggestion for locating master kdc logic
Will Fiveash
will.fiveash at oracle.com
Fri Apr 6 17:24:59 EDT 2012
On Fri, Apr 06, 2012 at 04:45:08PM -0400, Sam Hartman wrote:
> Looking for kpasswd_server is a bad idea because of AD.
> In practice it doubles the number of account lockout attempts when you
> give a bad password.
I forgot about the account lockout issue however it seems like that
issue also applies to trying admin_server in an environment where KDCs
are enforcing account lockout policies. In either case, setting my
proposed try_admin_server_on_err (or whatever it should be called) to
false would limit fall back to just master_kdc, if it existed.
> We had a fairly long design discussion that lead to the current
> logic. However I thought we did look for master KDCs with admin_server.
MIT krb used to fall back to admin_server but that was changed with the
introduction of the master_kdc config parameter in 1.3.2. With that
change admin_server is not used when trying to acquire a krb cred.
For whatever reason we (Solaris krb developers) missed the introduction
of master_kdc and thus have not documented it nor does the krb client
setup utility, kclient, set this in krb5.conf.
--
Will Fiveash
Oracle Solaris Software Engineer
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>
More information about the krbdev
mailing list