On Nov 1, 2007, at 07:17, Sachin Punadikar wrote: > I carried out the change. Added an entry of "kdc=master-kdc" after the > existing "kdc=slave-kdc". But still it fails to get the ticket of new > password. > It works fine when "master_kdc=master-kdc" exists. > > So is it expected behavior ?
This is expected. If the library detects a "wrong password" type of error, it will try talking to the master KDC if it finds one configured. It won't simply walk through all of the KDCs. (The model is, roughly, that the slaves all get updated from the master at about the same time, so talking to other slaves won't help. But if there is a master, its data may be more recent than the slaves'.) In regard to a question in your earlier email, if the LDAP database back end is used on the KDC, the password change should immediately be seen by the slave KDC. Perhaps not *quite* immediately, if you're replicating your LDAP service and your slave KDC is looking at a different LDAP server than the master KDC; I'm unfamiliar with the details of LDAP data replication in various implementations. Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
