[17575] in Kerberos_V5_Development
Re: suggestion for locating master kdc logic
daemon@ATHENA.MIT.EDU (Nico Williams)
Mon Apr 9 10:36:10 2012
MIME-Version: 1.0
In-Reply-To: <tslvcl9je16.fsf@mit.edu>
Date: Mon, 9 Apr 2012 09:34:14 -0500
Message-ID: <CAK3OfOgg8hY_voC3Q1DsT0ZJEvTLCMS6mpK0u93YLcwgdHdR4w@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Sam Hartman <hartmans@mit.edu>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Mon, Apr 9, 2012 at 7:16 AM, Sam Hartman <hartmans@mit.edu> wrote:
> So, whether to go to a master KDC is a realm property. If your realm is
> multi-master or otherwise has fairly good replication (iprop with the
> default deflay doesn't count) then the master KDC concept is
> problematic. Similarly, if different principals are homed at different
> KDCs, then master KDC doesn't make sense.
It might be possible to have a multi-master realm where not all KDCs
are masters. This is quite likely in some LDAP configurations, or so
I would think. This argues for a multi-valued master parameter.
> So, whether it makes sense to go to a master KDC is a property of a
> realm.
Yes. Fallback to master for initial authentication should definitely
be a separate parameter, regardless of whether a mater/admin/kpasswd
server(s) is(are) specified.
> I don't think it makes sense to have a libdefault switch to set that
> behavior because there's no general default.
Right. This is per-realm, not global to a client.
Nico
--
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
