suggestion for locating master kdc logic

Nico Williams nico at
Mon Apr 9 17:43:52 EDT 2012

On Mon, Apr 9, 2012 at 4:06 PM, Sam Hartman <hartmans at> wrote:
> I also think it would be reasonable to consider an argument that the
> default user experience for most installations of MIT Kerberos will be
> improved by falling back to admin_server.  My suspicion as to why we
> decided not to do this is that a lot of people configure AD KDCs as
> admin_servers not kpasswd_servers.
> One thing to check here is what AD's default SRV records do in this
> instance. If they publish admin_server records then it's probably not a
> good idea to fall back by default.

Auto-discovery is generally a good idea.  Here it seems to me that
it'd be safe to use auto-discovery.  I'm not sure what the best way to
do it would be.  I guess you could search for tell-tale _msdcs and
such SRV RRs.


More information about the krbdev mailing list