[17584] in Kerberos_V5_Development
Re: suggestion for locating master kdc logic
daemon@ATHENA.MIT.EDU (Sam Hartman)
Mon Apr 9 17:46:30 2012
From: Sam Hartman <hartmans@mit.edu>
To: Tom Yu <tlyu@mit.edu>
Date: Mon, 09 Apr 2012 17:46:04 -0400
In-Reply-To: <ldv62d8h9k3.fsf@cathode-dark-space.mit.edu> (Tom Yu's message of
"Mon, 09 Apr 2012 17:36:28 -0400")
Message-ID: <tsl4nssfujn.fsf@mit.edu>
MIME-Version: 1.0
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
>>>>> "Tom" == Tom Yu <tlyu@MIT.EDU> writes:
Tom> Sam Hartman <hartmans@MIT.EDU> writes:
>> I also think it would be reasonable to consider an argument that
>> the default user experience for most installations of MIT
>> Kerberos will be improved by falling back to admin_server. My
>> suspicion as to why we decided not to do this is that a lot of
>> people configure AD KDCs as admin_servers not kpasswd_servers.
Tom> Do you mean in the krb5.conf files, or elsewhere? I'm not sure
Tom> it makes sense to configure AD KDCs in krb5.conf as
Tom> admin_servers.
Keep in mind that we used to not support or at least not document
kpasswd_server.
>> One thing to check here is what AD's default SRV records do in
>> this instance. If they publish admin_server records then it's
>> probably not a good idea to fall back by default.
Tom> I doubt that AD publishes SRV records for "kerberos-adm", since
Tom> that port number is meant for the MIT krb5 kadmin RPC protocol.
Tom> Based on a single sample, AD does appear to publish SRV records
Tom> for "kpasswd". How would an AD KDC function as an
Tom> admin_server?
If they did it it would be because of the kpasswd server.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
