suggestion for locating master kdc logic

Sam Hartman hartmans at MIT.EDU
Sat Apr 7 10:03:19 EDT 2012

>>>>> "Will" == Will Fiveash <will.fiveash at> writes:

    Will> On Fri, Apr 06, 2012 at 04:45:08PM -0400, Sam Hartman wrote:
    >> Looking for kpasswd_server is a bad idea because of AD.  In
    >> practice it doubles the number of account lockout attempts when
    >> you give a bad password.

    Will> I forgot about the account lockout issue however it seems like
    Will> that issue also applies to trying admin_server in an
    Will> environment where KDCs are enforcing account lockout policies.
    Will> In either case, setting my proposed try_admin_server_on_err
    Will> (or whatever it should be called) to false would limit fall
    Will> back to just master_kdc, if it existed.

I am opposed to this change.  I'm particularly opposed to a version of
the change that considers kpasswd_server.

More information about the krbdev mailing list