suggestion for locating master kdc logic

[Will Fiveash]

On Mon, Apr 09, 2012 at 05:46:04PM -0400, Sam Hartman wrote:
> >>>>> "Tom" == Tom Yu <tlyu at MIT.EDU> writes:
> 
>     Tom> Sam Hartman <hartmans at MIT.EDU> writes:
>     >> I also think it would be reasonable to consider an argument that
>     >> the default user experience for most installations of MIT
>     >> Kerberos will be improved by falling back to admin_server.  My
>     >> suspicion as to why we decided not to do this is that a lot of
>     >> people configure AD KDCs as admin_servers not kpasswd_servers.
> 
>     Tom> Do you mean in the krb5.conf files, or elsewhere?  I'm not sure
>     Tom> it makes sense to configure AD KDCs in krb5.conf as
>     Tom> admin_servers.
> 
> Keep in mind that we used to not support or at least not document
> kpasswd_server.

I agree that it is quite possible even in AD environments that only the
admin_server is being specified.  In fact, the Solaris krb client config
utility, kclient does not set kpasswd_server because at the time it was
created the developer presumed init cred error fall back to admin_server
behavior.

>     >> One thing to check here is what AD's default SRV records do in
>     >> this instance. If they publish admin_server records then it's
>     >> probably not a good idea to fall back by default.
> 
>     Tom> I doubt that AD publishes SRV records for "kerberos-adm", since
>     Tom> that port number is meant for the MIT krb5 kadmin RPC protocol.
>     Tom> Based on a single sample, AD does appear to publish SRV records
>     Tom> for "kpasswd".  How would an AD KDC function as an
>     Tom> admin_server?
> 
> If they did it it would be because of the kpasswd server.

In draft-ietf-krb-wg-krb-dns-locate-03.txt, the SRV record for the
kpassword server is described.

-- 
Will Fiveash
Oracle Solaris Software Engineer
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>