Skip Menu |
 

History Show all quoted textShow full headers
# Fri Sep 17 13:34:54 2010 ghudson@mit.edu (Greg Hudson) - Ticket created
Subject: Master KDC lookup can use SRV lookups despite local realm KDC configuration
Download (untitled) / with headers
text/plain 347B
If a realm is defined in the profile with one or more kdc values but no
master_kdc variable is defined, krb5_sendto_kdc() will perform SRV
lookups in order to determine the master KDC value, even if there's only
one KDC defined.

It would be more admin-friendly and performant to use the first value of
"kdc" in the profile as the master KDC.
# Fri Sep 17 13:35:26 2010 ghudson@mit.edu (Greg Hudson) - Subject changed from 'Master KDC lookup can use SRV lookups despite local realm KDC configuration' to 'Master KDC lookup can use SRV lookups despite profile KDC configuration'
# Tue Apr 10 14:06:21 2012 ghudson@mit.edu (Greg Hudson) - Comments added
Download (untitled) / with headers
text/plain 659B
Based on recent discussion here:

http://mailman.mit.edu/pipermail/krbdev/2012-April/010722.html

it would probably not be a good idea to assume that the first-listed KDC
is the master, especially while there is no protection against contacting
the same KDC a second time during the fallback to master. We don't want
to do fallback in situations where it isn't desired; otherwise we can
cause extra account lockout strikes against a user who enters the wrong
password.

A more appropriate change would be to check if there are "kdc" values in
the profile realm configuration, and if so, not check DNS for a _master-
kdc record when looking for masters.
# Tue Apr 08 14:19:53 2014 ghudson@mit.edu (Greg Hudson) - Comments added
Download (untitled) / with headers
text/plain 560B
The change I suggested above could alter the behavior of existing
environments. Where there are widely distributed krb5.conf files
specifying kdc but not master_kdc entries, and a SRV record for kerberos-
master, we would be effectively disabling fallback to master. This is the
case for ATHENA.MIT.EDU.

A more conservative change would be to support "master_kdc = ." or
something to explicitly suppress the master_kdc setting in the profile,
preventing a lookup in DNS. I am not sure if we will go this route or
make the previously suggested change.
# Fri Mar 10 10:52:57 2023 ghudson@mit.edu (Greg Hudson) - Reference by #7721: Primary KDC lookups happen sooner than necessary added