suggestion for locating master kdc logic
Sam Hartman
hartmans at MIT.EDU
Sat Apr 7 10:03:19 EDT 2012
>>>>> "Will" == Will Fiveash <will.fiveash at oracle.com> writes:
Will> On Fri, Apr 06, 2012 at 04:45:08PM -0400, Sam Hartman wrote:
>> Looking for kpasswd_server is a bad idea because of AD. In
>> practice it doubles the number of account lockout attempts when
>> you give a bad password.
Will> I forgot about the account lockout issue however it seems like
Will> that issue also applies to trying admin_server in an
Will> environment where KDCs are enforcing account lockout policies.
Will> In either case, setting my proposed try_admin_server_on_err
Will> (or whatever it should be called) to false would limit fall
Will> back to just master_kdc, if it existed.
I am opposed to this change. I'm particularly opposed to a version of
the change that considers kpasswd_server.
More information about the krbdev
mailing list