Skip Menu |

Subject: Master KDC lookup can use SRV lookups despite local realm KDC configuration
If a realm is defined in the profile with one or more kdc values but no
master_kdc variable is defined, krb5_sendto_kdc() will perform SRV
lookups in order to determine the master KDC value, even if there's only
one KDC defined.

It would be more admin-friendly and performant to use the first value of
"kdc" in the profile as the master KDC.
Based on recent discussion here:

it would probably not be a good idea to assume that the first-listed KDC
is the master, especially while there is no protection against contacting
the same KDC a second time during the fallback to master. We don't want
to do fallback in situations where it isn't desired; otherwise we can
cause extra account lockout strikes against a user who enters the wrong

A more appropriate change would be to check if there are "kdc" values in
the profile realm configuration, and if so, not check DNS for a _master-
kdc record when looking for masters.
The change I suggested above could alter the behavior of existing
environments. Where there are widely distributed krb5.conf files
specifying kdc but not master_kdc entries, and a SRV record for kerberos-
master, we would be effectively disabling fallback to master. This is the
case for ATHENA.MIT.EDU.

A more conservative change would be to support "master_kdc = ." or
something to explicitly suppress the master_kdc setting in the profile,
preventing a lookup in DNS. I am not sure if we will go this route or
make the previously suggested change.