[17583] in Kerberos_V5_Development
Re: suggestion for locating master kdc logic
daemon@ATHENA.MIT.EDU (Nico Williams)
Mon Apr 9 17:43:58 2012
MIME-Version: 1.0
In-Reply-To: <tsl8vi4fwd9.fsf@mit.edu>
Date: Mon, 9 Apr 2012 16:43:52 -0500
Message-ID: <CAK3OfOiCPDRqYuQYLn8WtmMX1OGVMdbwR0yUriMW3wwsZbjR6A@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Sam Hartman <hartmans@mit.edu>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Mon, Apr 9, 2012 at 4:06 PM, Sam Hartman <hartmans@mit.edu> wrote:
> I also think it would be reasonable to consider an argument that the
> default user experience for most installations of MIT Kerberos will be
> improved by falling back to admin_server. My suspicion as to why we
> decided not to do this is that a lot of people configure AD KDCs as
> admin_servers not kpasswd_servers.
> One thing to check here is what AD's default SRV records do in this
> instance. If they publish admin_server records then it's probably not a
> good idea to fall back by default.
Auto-discovery is generally a good idea. Here it seems to me that
it'd be safe to use auto-discovery. I'm not sure what the best way to
do it would be. I guess you could search for tell-tale _msdcs and
such SRV RRs.
Nico
--
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
