[17586] in Kerberos_V5_Development
Re: suggestion for locating master kdc logic
daemon@ATHENA.MIT.EDU (Will Fiveash)
Mon Apr 9 18:28:58 2012
Date: Mon, 9 Apr 2012 17:28:51 -0500
From: Will Fiveash <will.fiveash@oracle.com>
To: Sam Hartman <hartmans@mit.edu>
Message-ID: <20120409222851.GE2566@oracle.com>
Mail-Followup-To: Sam Hartman <hartmans@MIT.EDU>, Tom Yu <tlyu@MIT.EDU>,
krbdev@MIT.EDU
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <tsl4nssfujn.fsf@mit.edu>
Cc: krbdev@mit.edu, Tom Yu <tlyu@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Mon, Apr 09, 2012 at 05:46:04PM -0400, Sam Hartman wrote:
> >>>>> "Tom" == Tom Yu <tlyu@MIT.EDU> writes:
>
> Tom> Sam Hartman <hartmans@MIT.EDU> writes:
> >> I also think it would be reasonable to consider an argument that
> >> the default user experience for most installations of MIT
> >> Kerberos will be improved by falling back to admin_server. My
> >> suspicion as to why we decided not to do this is that a lot of
> >> people configure AD KDCs as admin_servers not kpasswd_servers.
>
> Tom> Do you mean in the krb5.conf files, or elsewhere? I'm not sure
> Tom> it makes sense to configure AD KDCs in krb5.conf as
> Tom> admin_servers.
>
> Keep in mind that we used to not support or at least not document
> kpasswd_server.
I agree that it is quite possible even in AD environments that only the
admin_server is being specified. In fact, the Solaris krb client config
utility, kclient does not set kpasswd_server because at the time it was
created the developer presumed init cred error fall back to admin_server
behavior.
> >> One thing to check here is what AD's default SRV records do in
> >> this instance. If they publish admin_server records then it's
> >> probably not a good idea to fall back by default.
>
> Tom> I doubt that AD publishes SRV records for "kerberos-adm", since
> Tom> that port number is meant for the MIT krb5 kadmin RPC protocol.
> Tom> Based on a single sample, AD does appear to publish SRV records
> Tom> for "kpasswd". How would an AD KDC function as an
> Tom> admin_server?
>
> If they did it it would be because of the kpasswd server.
In draft-ietf-krb-wg-krb-dns-locate-03.txt, the SRV record for the
kpassword server is described.
--
Will Fiveash
Oracle Solaris Software Engineer
http://opensolaris.org/os/project/kerberos/
Sent using mutt, a sweet, text based e-mail app <http://www.mutt.org/>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
