[17570] in Kerberos_V5_Development
Re: suggestion for locating master kdc logic
daemon@ATHENA.MIT.EDU (Will Fiveash)
Fri Apr 6 17:25:10 2012
Date: Fri, 6 Apr 2012 16:24:59 -0500
From: Will Fiveash <will.fiveash@oracle.com>
To: Sam Hartman <hartmans@mit.edu>
Message-ID: <20120406212459.GA24618@oracle.com>
Mail-Followup-To: Sam Hartman <hartmans@MIT.EDU>, krbdev@MIT.EDU
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <tslty0wmvxn.fsf@mit.edu>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Fri, Apr 06, 2012 at 04:45:08PM -0400, Sam Hartman wrote:
> Looking for kpasswd_server is a bad idea because of AD.
> In practice it doubles the number of account lockout attempts when you
> give a bad password.
I forgot about the account lockout issue however it seems like that
issue also applies to trying admin_server in an environment where KDCs
are enforcing account lockout policies. In either case, setting my
proposed try_admin_server_on_err (or whatever it should be called) to
false would limit fall back to just master_kdc, if it existed.
> We had a fairly long design discussion that lead to the current
> logic. However I thought we did look for master KDCs with admin_server.
MIT krb used to fall back to admin_server but that was changed with the
introduction of the master_kdc config parameter in 1.3.2. With that
change admin_server is not used when trying to acquire a krb cred.
For whatever reason we (Solaris krb developers) missed the introduction
of master_kdc and thus have not documented it nor does the krb client
setup utility, kclient, set this in krb5.conf.
--
Will Fiveash
Oracle Solaris Software Engineer
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
