[32081] in Kerberos
Re: another (different) KDC name resolution question
daemon@ATHENA.MIT.EDU (Abe Singer)
Mon Feb 22 18:30:26 2010
Date: Mon, 22 Feb 2010 15:30:20 -0800
From: Abe Singer <abe@ligo.caltech.edu>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20100222233019.GF60489@ligo.caltech.edu>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <1266880388.20257.543.camel@ray>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Well, that at least explains it.
You could call it a misfeature, or just an unanticipated consequence.
I suspect what we're doing here is a rare case.
If it's not going to change anytime soon, some documentation in the
right place (e.g. admin or install manual) could help.
Thanks,
-- Abe
On Mon, Feb 22, 2010 at 06:13:08PM -0500, Greg Hudson wrote:
>
> On Mon, 2010-02-22 at 16:54 -0500, Abe Singer wrote:
> > When a Kerberized daemon (server) gets contacts by a client, the server
> > does a name lookup of *all* the KDCs in the realm before attempting to contact
> > any KDC.
> [...]
> > So, is this behavior intentional, or a bug triggered by an unusual situation?
>
> This behavior follows from the internal APIs. krb5_locate_kdc takes a
> realm name and returns a complete list of addresses, and then
> krb5_sendto_kdc iterates over the address list. So it's not a bug,
> although I'd be happy to call it a misfeature. There are some
> complications in the way of changing the behavior (specifically, a
> plugin interface which assumes the realm -> addrlist interface), so I
> don't know if it's likely to get better in the near future.
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
