[17574] in Kerberos_V5_Development
Re: suggestion for locating master kdc logic
daemon@ATHENA.MIT.EDU (Sam Hartman)
Mon Apr 9 08:17:26 2012
From: Sam Hartman <hartmans@mit.edu>
To: krbdev@mit.edu
Date: Mon, 09 Apr 2012 08:16:53 -0400
In-Reply-To: <20120407195139.GA83@oracle.com> (Will Fiveash's message of "Sat,
7 Apr 2012 14:51:39 -0500")
Message-ID: <tslvcl9je16.fsf@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
So, whether to go to a master KDC is a realm property. If your realm is
multi-master or otherwise has fairly good replication (iprop with the
default deflay doesn't count) then the master KDC concept is
problematic. Similarly, if different principals are homed at different
KDCs, then master KDC doesn't make sense.
So, whether it makes sense to go to a master KDC is a property of a
realm.
I don't think it makes sense to have a libdefault switch to set that
behavior because there's no general default.
So, I guess you could have a per-realm switch to specify whether to fall
back to admin_server for that realm, but why not just specify the master
KDC at that point.
--Sam
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
