[16880] in Kerberos-V5-bugs
[krbdev.mit.edu #7721] [Comment] master_kdc is resolved sooner than
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Sun Apr 23 15:54:15 2023
From: "Greg Hudson via RT" <rt-comment@kerborg-prod-app-1.mit.edu>
In-Reply-To: <rt-4.4.3-2-716742-1681842739-548.7721-8-0@kerborg-prod-app-1.mit.edu>
Message-ID: <rt-4.4.3-2-1415898-1682279647-1497.7721-8-0@kerborg-prod-app-1.mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #7721":;
Date: Sun, 23 Apr 2023 15:54:07 -0400
MIME-Version: 1.0
Reply-To: rt-comment@kerborg-prod-app-1.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=7721
This is a comment. It is not sent to the Requestor(s):
The fourth candidate fails because we cannot (without major changes) rewind
the initial creds state to the point of prior KDC requests.
The third candidate could be perhaps improved by having krb5_sendto_kdc()
append to a history of servers used; the servers could then be checked in one
function call making fewer DNS queries (one query per realm contacted during
the exchange). A side note: what we really want to check for is not "are all
these servers primary" but "are any of these servers replicas". If a realm
does not have a primary KDC, we want to treat all of its KDCs like primary
KDCs for the purpose of deciding whether to fall back.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
