[32080] in Kerberos
Re: another (different) KDC name resolution question
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Feb 22 18:13:14 2010
From: Greg Hudson <ghudson@mit.edu>
To: Abe Singer <abe@ligo.caltech.edu>
In-Reply-To: <20100222215418.GA60489@ligo.caltech.edu>
Date: Mon, 22 Feb 2010 18:13:08 -0500
Message-ID: <1266880388.20257.543.camel@ray>
Mime-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, 2010-02-22 at 16:54 -0500, Abe Singer wrote:
> When a Kerberized daemon (server) gets contacts by a client, the server
> does a name lookup of *all* the KDCs in the realm before attempting to contact
> any KDC.
[...]
> So, is this behavior intentional, or a bug triggered by an unusual situation?
This behavior follows from the internal APIs. krb5_locate_kdc takes a
realm name and returns a complete list of addresses, and then
krb5_sendto_kdc iterates over the address list. So it's not a bug,
although I'd be happy to call it a misfeature. There are some
complications in the way of changing the behavior (specifically, a
plugin interface which assumes the realm -> addrlist interface), so I
don't know if it's likely to get better in the near future.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
