suggestion for locating master kdc logic

Nico Williams nico at
Mon Apr 9 10:34:14 EDT 2012

On Mon, Apr 9, 2012 at 7:16 AM, Sam Hartman <hartmans at> wrote:
> So, whether to go to a master KDC is a realm property.  If your realm is
> multi-master or otherwise has fairly good replication (iprop with the
> default deflay doesn't count) then the master KDC concept is
> problematic.  Similarly, if different principals are homed at different
> KDCs, then master KDC doesn't make sense.

It might be possible to have a multi-master realm where not all KDCs
are masters.  This is quite likely in some LDAP configurations, or so
I would think.  This argues for a multi-valued master parameter.

> So, whether it makes sense to go to a master KDC is a property of a
> realm.

Yes.  Fallback to master for initial authentication should definitely
be a separate parameter, regardless of whether a mater/admin/kpasswd
server(s) is(are) specified.

> I don't think it makes sense to have a libdefault switch to set that
> behavior because there's no general default.

Right.  This is per-realm, not global to a client.


More information about the krbdev mailing list