[38831] in Kerberos
Re: Selective kdc discovery
daemon@ATHENA.MIT.EDU (Greg Hudson)
Sat Oct 31 01:05:24 2020
To: "Paul B. Henson" <henson@acm.org>, <kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <fb897c65-dc13-752d-9cbe-9742ae692dc0@mit.edu>
Date: Sat, 31 Oct 2020 01:02:34 -0400
MIME-Version: 1.0
In-Reply-To: <10c3f066-41e0-052b-cf26-2e9ef475eb71@acm.org>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 10/29/20 2:13 PM, Paul B. Henson wrote:
> In the krb5.conf file, you can specify kdc's statically, but there is no
> mechanism for prioritizing them or indicating which ones should be tried
> first.
In the MIT krb5 implementation, they are tried in the order specified,
with a 1s delay in between. I can't speak to the Java implementation,
unfortunately.
> You can also specify one or more master_kdc's, but based on the
> documentation those are only accessed in the case of a password failure
> on one of the regular kdc entries? If, hypothetically, all of the
> regular kdc entries timeout, would the master_kdc entries still be used,
> or would the request simply fail at that point with an unreachable kdc
> error?
The request would fail with an unreachable error, in the MIT implementation.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
