[17558] in Kerberos_V5_Development
Re: suggestion for locating master kdc logic
daemon@ATHENA.MIT.EDU (Will Fiveash)
Thu Apr 5 19:54:07 2012
Date: Thu, 5 Apr 2012 18:53:50 -0500
From: Will Fiveash <will.fiveash@oracle.com>
To: krbdev@mit.edu
Message-ID: <20120405235350.GB14892@oracle.com>
Mail-Followup-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20120404003945.GA14892@oracle.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Tue, Apr 03, 2012 at 07:39:45PM -0500, Will Fiveash wrote:
> On Tue, Apr 03, 2012 at 06:14:11PM -0500, Will Fiveash wrote:
> > Looking at the code for krb5_get_init_creds_password() and
> > prof_locate_server() I see that if the KDC specified by a "kdc =" spec
> > in krb5.conf returns a krb error, the acquire krb cred logic is to look
> > for a master_kdc spec either in krb5.conf or via DNS and if one isn't
> > found, give up. Given that the admin_server/kpasswd_server specs are
> > very likely to reference a master KDC, shouldn't the *_locate_server()
> > functions when given a locate_service type of locate_service_master_kdc
> > try to first find master_kdc (current behavior) and if that fails then
> > admin_server and finally kpasswd_server? I can't imagine why master_kdc
> > would point to a different KDC than the one the admin_server is set to.
>
> Thinking more, I realize that performance may be a reason not to fall
> back to trying admin_server if master_kdc isn't found however if the
> logic could determine that the admin_server pointed to a KDC that
> differed from the previous KDC that returned a krb error then this would
> at least avoid a redundant attempt to acquire a krb cred. Are there
> cases where it is desired to only try one KDC when attempting to acquire
> a krb cred and not fall back to trying the master KDC as specified by
> either master_kdc, admind_server or kpasswd_server?
Anyone have a problem if I modify the MIT krb code so that if a
master_kdc spec is not found to then look for admin_server and if that
isn't found also look for kpasswd_server? This change would affect
dns_locate_server() and prof_locate_server().
--
Will Fiveash
Oracle Solaris Software Engineer
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
