[17559] in Kerberos_V5_Development
Re: suggestion for locating master kdc logic
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Apr 5 23:25:13 2012
Message-ID: <4F7E6211.909@mit.edu>
Date: Thu, 05 Apr 2012 23:25:05 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: krbdev@mit.edu
In-Reply-To: <20120405235350.GB14892@oracle.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 04/05/2012 07:53 PM, Will Fiveash wrote:
> Anyone have a problem if I modify the MIT krb code so that if a
> master_kdc spec is not found to then look for admin_server and if that
> isn't found also look for kpasswd_server? This change would affect
> dns_locate_server() and prof_locate_server().
I'm always a little nervous about reversing previous design decisions
that I don't completely understand. I can find a little bit of design
rationale in ticket #1692, which says:
Currently the admin_server tag is overloaded for kadmin and
password changing. So, don't use it as a filter on the KDC list;
instead, look for master_kdc as an independent list.
I'm not quite sure what Ken had in mind here. I can speculate that he
was concerned about environments where the kadmin or kpasswd server host
doesn't run a KDC, in which case trying to contact it would result in an
unwelcome timeout.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
