suggestion for locating master kdc logic
Nico Williams
nico at cryptonector.com
Mon Apr 9 10:34:14 EDT 2012
On Mon, Apr 9, 2012 at 7:16 AM, Sam Hartman <hartmans at mit.edu> wrote:
> So, whether to go to a master KDC is a realm property. If your realm is
> multi-master or otherwise has fairly good replication (iprop with the
> default deflay doesn't count) then the master KDC concept is
> problematic. Similarly, if different principals are homed at different
> KDCs, then master KDC doesn't make sense.
It might be possible to have a multi-master realm where not all KDCs
are masters. This is quite likely in some LDAP configurations, or so
I would think. This argues for a multi-valued master parameter.
> So, whether it makes sense to go to a master KDC is a property of a
> realm.
Yes. Fallback to master for initial authentication should definitely
be a separate parameter, regardless of whether a mater/admin/kpasswd
server(s) is(are) specified.
> I don't think it makes sense to have a libdefault switch to set that
> behavior because there's no general default.
Right. This is per-realm, not global to a client.
Nico
--
More information about the krbdev
mailing list