suggestion for locating master kdc logic

Will Fiveash will.fiveash at
Fri Apr 6 17:24:59 EDT 2012

On Fri, Apr 06, 2012 at 04:45:08PM -0400, Sam Hartman wrote:
> Looking for kpasswd_server is a bad idea because of AD.
> In practice it doubles the number of account lockout  attempts  when you
> give a bad password.

I forgot about the account lockout issue however it seems like that
issue also applies to trying admin_server in an environment where KDCs
are enforcing account lockout policies.  In either case, setting my
proposed try_admin_server_on_err (or whatever it should be called) to
false would limit fall back to just master_kdc, if it existed.

> We had a fairly long design discussion that lead to the current
> logic. However I thought we did look for master KDCs with admin_server.

MIT krb used to fall back to admin_server but that was changed with the
introduction of the master_kdc config parameter in 1.3.2.  With that
change admin_server is not used when trying to acquire a krb cred.

For whatever reason we (Solaris krb developers) missed the introduction
of master_kdc and thus have not documented it nor does the krb client
setup utility, kclient, set this in krb5.conf.

Will Fiveash
Oracle Solaris Software Engineer
Sent using mutt, a sweet, text based e-mail app <>

More information about the krbdev mailing list