suggestion for locating master kdc logic

Sam Hartman hartmans at MIT.EDU
Mon Apr 9 17:06:42 EDT 2012

I'm not sure what to do here.
MIT has generally been more willing to change default behavior than
Solaris particularly in the interest of making the default configuration
more likely to be what the user wants.

requiring explicit master_kdc configuration was such a change.

I guess I'd be fine with a realm-level fallback parameter that defaulted
to the current MIT behavior  and that Solaris could patch to on instead
of off.

I think you won't be able to completely avoid patches while taking code
from a project that has a different set of stability guarantees than
your code base.  Nor do I believe that adopting solaris's stability
guarantees would improve MIT Kerberos.
I think that balancing things so that you patch a default from off to on
reduces your patch size over say maintaining the fallback completely in

I also think it would be reasonable to consider an argument that the
default user experience for most installations of MIT Kerberos will be
improved by falling back to admin_server.  My suspicion as to why we
decided not to do this is that a lot of people configure AD KDCs as
admin_servers not kpasswd_servers.
One thing to check here is what AD's default SRV records do in this
instance. If they publish admin_server records then it's probably not a
good idea to fall back by default.

More information about the krbdev mailing list