[17565] in Kerberos_V5_Development
Re: suggestion for locating master kdc logic
daemon@ATHENA.MIT.EDU (Russ Allbery)
Fri Apr 6 16:09:16 2012
From: Russ Allbery <rra@stanford.edu>
To: krbdev@mit.edu
In-Reply-To: <20120406195304.GC14892@oracle.com> (Will Fiveash's message of
"Fri, 6 Apr 2012 14:53:04 -0500")
Date: Fri, 06 Apr 2012 13:09:12 -0700
Message-ID: <87ty0w62s7.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Will Fiveash <will.fiveash@oracle.com> writes:
> Certainly for Solaris, we have not documented master_kdc so I'm pretty
> sure most if not all krb configs on those systems are not benefiting
> from the fall back to master_kdc when getting a krb err.
Not only do you lose fallback in this case, but you also don't get
password change on expired password, unless you patched the code to not
require master_kdc in that case as well.
I added the following to the man page of my pam-krb5 module because of
that:
If you are using MIT Kerberos, be aware that users whose passwords
are expired will not be prompted to change their password unless
the KDC configuration for your realm in [realms] in krb5.conf
contains a master_kdc setting or, if using DNS SRV records, you
have a DNS entry for _kerberos-master as well as _kerberos.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
