suggestion for locating master kdc logic
hartmans at MIT.EDU
Mon Apr 9 17:46:04 EDT 2012
>>>>> "Tom" == Tom Yu <tlyu at MIT.EDU> writes:
Tom> Sam Hartman <hartmans at MIT.EDU> writes:
>> I also think it would be reasonable to consider an argument that
>> the default user experience for most installations of MIT
>> Kerberos will be improved by falling back to admin_server. My
>> suspicion as to why we decided not to do this is that a lot of
>> people configure AD KDCs as admin_servers not kpasswd_servers.
Tom> Do you mean in the krb5.conf files, or elsewhere? I'm not sure
Tom> it makes sense to configure AD KDCs in krb5.conf as
Keep in mind that we used to not support or at least not document
>> One thing to check here is what AD's default SRV records do in
>> this instance. If they publish admin_server records then it's
>> probably not a good idea to fall back by default.
Tom> I doubt that AD publishes SRV records for "kerberos-adm", since
Tom> that port number is meant for the MIT krb5 kadmin RPC protocol.
Tom> Based on a single sample, AD does appear to publish SRV records
Tom> for "kpasswd". How would an AD KDC function as an
If they did it it would be because of the kpasswd server.
More information about the krbdev