[28625] in Kerberos
Re: Changing password using slave KDC
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Thu Nov 1 08:02:53 2007
In-Reply-To: <9549b1d80711010417p6ede274cr6944845da0e16acf@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Message-Id: <A0CAC8A4-2B0B-4398-8B91-645A54639C1B@mit.edu>
From: Ken Raeburn <raeburn@mit.edu>
Date: Thu, 1 Nov 2007 08:02:27 -0400
To: "Sachin Punadikar" <punadikar.sachin@gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Nov 1, 2007, at 07:17, Sachin Punadikar wrote:
> I carried out the change. Added an entry of "kdc=master-kdc" after the
> existing "kdc=slave-kdc". But still it fails to get the ticket of new
> password.
> It works fine when "master_kdc=master-kdc" exists.
>
> So is it expected behavior ?
This is expected. If the library detects a "wrong password" type of
error, it will try talking to the master KDC if it finds one
configured. It won't simply walk through all of the KDCs. (The
model is, roughly, that the slaves all get updated from the master at
about the same time, so talking to other slaves won't help. But if
there is a master, its data may be more recent than the slaves'.)
In regard to a question in your earlier email, if the LDAP database
back end is used on the KDC, the password change should immediately
be seen by the slave KDC. Perhaps not *quite* immediately, if you're
replicating your LDAP service and your slave KDC is looking at a
different LDAP server than the master KDC; I'm unfamiliar with the
details of LDAP data replication in various implementations.
Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos