suggestion for locating master kdc logic
Nico Williams
nico at cryptonector.com
Mon Apr 9 17:43:52 EDT 2012
On Mon, Apr 9, 2012 at 4:06 PM, Sam Hartman <hartmans at mit.edu> wrote:
> I also think it would be reasonable to consider an argument that the
> default user experience for most installations of MIT Kerberos will be
> improved by falling back to admin_server. My suspicion as to why we
> decided not to do this is that a lot of people configure AD KDCs as
> admin_servers not kpasswd_servers.
> One thing to check here is what AD's default SRV records do in this
> instance. If they publish admin_server records then it's probably not a
> good idea to fall back by default.
Auto-discovery is generally a good idea. Here it seems to me that
it'd be safe to use auto-discovery. I'm not sure what the best way to
do it would be. I guess you could search for tell-tale _msdcs and
such SRV RRs.
Nico
--
More information about the krbdev
mailing list