suggestion for locating master kdc logic
Will Fiveash
will.fiveash at oracle.com
Mon Apr 9 15:44:39 EDT 2012
On Mon, Apr 09, 2012 at 09:34:14AM -0500, Nico Williams wrote:
> On Mon, Apr 9, 2012 at 7:16 AM, Sam Hartman <hartmans at mit.edu> wrote:
> > So, whether it makes sense to go to a master KDC is a property of a
> > realm.
>
> Yes. Fallback to master for initial authentication should definitely
> be a separate parameter, regardless of whether a mater/admin/kpasswd
> server(s) is(are) specified.
If my proposed realm config parameter try_admin_server_on_err (or
whatever it should be named) is implemented then the admin would have
complete control over the fall-back behavior. Note the following
examples are for a client sending initial auth request to a KDC:
# By default would fall back to try admin_server (using default KDC
# port) if receiving an invalid password or princ not found error from
# kdc1.
FOO.COM = {
kdc = kdc1.foo.com
admin_server = kdc3.foo.com
}
# Would immediately fail on receiving an invalid password or princ not
# found error from kdc1.
FOO.COM = {
kdc = kdc1.foo.com
try_admin_server_on_err = false
admin_server = kdc3.foo.com
}
# Would fall back to trying master_kdc using port 45001 on receiving an
# invalid password or princ not found error from kdc1. admin_server
# would never be used for fall back for the error condition described
# above.
FOO.COM = {
kdc = kdc1.foo.com:45001
master_kdc = kdc2.foo.com:45001
admin_server = kdc3.foo.com:45002
}
--
Will Fiveash
Oracle Solaris Software Engineer
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>
More information about the krbdev
mailing list