suggestion for locating master kdc logic

Sam Hartman hartmans at MIT.EDU
Mon Apr 9 17:46:04 EDT 2012

>>>>> "Tom" == Tom Yu <tlyu at MIT.EDU> writes:

    Tom> Sam Hartman <hartmans at MIT.EDU> writes:
    >> I also think it would be reasonable to consider an argument that
    >> the default user experience for most installations of MIT
    >> Kerberos will be improved by falling back to admin_server.  My
    >> suspicion as to why we decided not to do this is that a lot of
    >> people configure AD KDCs as admin_servers not kpasswd_servers.

    Tom> Do you mean in the krb5.conf files, or elsewhere?  I'm not sure
    Tom> it makes sense to configure AD KDCs in krb5.conf as
    Tom> admin_servers.

Keep in mind that we used to not support or at least not document

    >> One thing to check here is what AD's default SRV records do in
    >> this instance. If they publish admin_server records then it's
    >> probably not a good idea to fall back by default.

    Tom> I doubt that AD publishes SRV records for "kerberos-adm", since
    Tom> that port number is meant for the MIT krb5 kadmin RPC protocol.
    Tom> Based on a single sample, AD does appear to publish SRV records
    Tom> for "kpasswd".  How would an AD KDC function as an
    Tom> admin_server?

If they did it it would be because of the kpasswd server.

More information about the krbdev mailing list