[17543] in Kerberos_V5_Development
suggestion for locating master kdc logic
daemon@ATHENA.MIT.EDU (Will Fiveash)
Tue Apr 3 19:14:20 2012
Date: Tue, 3 Apr 2012 18:14:11 -0500
From: Will Fiveash <will.fiveash@oracle.com>
To: MIT Kerberos Dev List <krbdev@mit.edu>
Message-ID: <20120403231411.GA17226@oracle.com>
Mail-Followup-To: MIT Kerberos Dev List <krbdev@MIT.EDU>
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Looking at the code for krb5_get_init_creds_password() and
prof_locate_server() I see that if the KDC specified by a "kdc =" spec
in krb5.conf returns a krb error, the acquire krb cred logic is to look
for a master_kdc spec either in krb5.conf or via DNS and if one isn't
found, give up. Given that the admin_server/kpasswd_server specs are
very likely to reference a master KDC, shouldn't the *_locate_server()
functions when given a locate_service type of locate_service_master_kdc
try to first find master_kdc (current behavior) and if that fails then
admin_server and finally kpasswd_server? I can't imagine why master_kdc
would point to a different KDC than the one the admin_server is set to.
--
Will Fiveash
Oracle Solaris Software Engineer
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
