[28624] in Kerberos
Re: Changing password using slave KDC
daemon@ATHENA.MIT.EDU (Sachin Punadikar)
Thu Nov 1 07:18:15 2007
Message-ID: <9549b1d80711010417p6ede274cr6944845da0e16acf@mail.gmail.com>
Date: Thu, 1 Nov 2007 16:47:53 +0530
From: "Sachin Punadikar" <punadikar.sachin@gmail.com>
To: jaltman@secure-endpoints.com
In-Reply-To: <4729B478.2010004@secure-endpoints.com>
MIME-Version: 1.0
Content-Disposition: inline
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Jeffrey,
I carried out the change. Added an entry of "kdc=master-kdc" after the
existing "kdc=slave-kdc". But still it fails to get the ticket of new
password.
It works fine when "master_kdc=master-kdc" exists.
So is it expected behavior ?
Thanks in advance.
- Sachin.
On 11/1/07, Jeffrey Altman <jaltman@secure-endpoints.com> wrote:
>
> Please do not send non-development requests to the krbdev mailing list.
>
> Slave databases are read-only. Only the master database can be used
> for password change. The master kdc must be listed in the KDC list
> either as an additional
>
> kdc=master-kdc
>
> or
>
> master_kdc=master-kdc
>
> entry or both.
>
> Jeffrey Altman
>
>
> Sachin Punadikar wrote:
> > Hello,
> >
> > I have Kerberos (MIT 1.5.4 release) configured as master and slave. At
> the
> > client side krb5.conf file I am mentioning kdc=slave-kdc. And this is
> the
> > only entry in the krb5.conf file which talks about KDC.
> > In this scenario if the attribute "needchange" is set then, it prompts
> for
> > the password change but finally it fails to get the ticket with the
> newly
> > changed password. This may be because it is trying to get the ticket
> from
> > the slave. But slave will not have updated database at that moment.
> > So is it recommended to try for password change, only when "master_kdc"
> > entry in the krb5.conf file exists?
> > Or is there any mechanism by which one can update slave KDC database
> > instantenously, so above scenario will work ?
> >
> > Please advice.
> >
> > - Sachin.
> > _______________________________________________
> > krbdev mailing list krbdev@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
