suggestion for locating master kdc logic
will.fiveash at oracle.com
Mon Apr 9 18:28:51 EDT 2012
On Mon, Apr 09, 2012 at 05:46:04PM -0400, Sam Hartman wrote:
> >>>>> "Tom" == Tom Yu <tlyu at MIT.EDU> writes:
> Tom> Sam Hartman <hartmans at MIT.EDU> writes:
> >> I also think it would be reasonable to consider an argument that
> >> the default user experience for most installations of MIT
> >> Kerberos will be improved by falling back to admin_server. My
> >> suspicion as to why we decided not to do this is that a lot of
> >> people configure AD KDCs as admin_servers not kpasswd_servers.
> Tom> Do you mean in the krb5.conf files, or elsewhere? I'm not sure
> Tom> it makes sense to configure AD KDCs in krb5.conf as
> Tom> admin_servers.
> Keep in mind that we used to not support or at least not document
I agree that it is quite possible even in AD environments that only the
admin_server is being specified. In fact, the Solaris krb client config
utility, kclient does not set kpasswd_server because at the time it was
created the developer presumed init cred error fall back to admin_server
> >> One thing to check here is what AD's default SRV records do in
> >> this instance. If they publish admin_server records then it's
> >> probably not a good idea to fall back by default.
> Tom> I doubt that AD publishes SRV records for "kerberos-adm", since
> Tom> that port number is meant for the MIT krb5 kadmin RPC protocol.
> Tom> Based on a single sample, AD does appear to publish SRV records
> Tom> for "kpasswd". How would an AD KDC function as an
> Tom> admin_server?
> If they did it it would be because of the kpasswd server.
In draft-ietf-krb-wg-krb-dns-locate-03.txt, the SRV record for the
kpassword server is described.
Oracle Solaris Software Engineer
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>
More information about the krbdev