Release Meeting Minutes/2012-04-10
Will Fiveash, Thomas Hardjono, Greg Hudson, Simo Sorce, Zhanna Tsitkov, Tom Yu
Master KDC location
- Sam's idea of compile-time setting of default fallback behavior.
- Question re Solaris behavior. OpenSolaris says comment to unconditionally use admin_server instead of using as filter on hostnames.
- Behavior experiments. No fallback to admin server.
- Knowing Solaris behavior would be useful. 1.3.1 and earlier never uses kerberos_adm from DNS. Admin server runs on a different port -- hostname filter. In 1.3.2 changed behavior so profile setting for master KDC had to be explicitly configured to get any fallback behavior. But we always query krb_master SRV record. People would set up AD... so in config file they'd put KDC and admin_server entries. 2 counts against lockout if you type a wrong password. So in AD you could have no masters because every KDC would be in sync.
- All your scenarios involve no SRV record lookup?
- Yes. Solaris support for master_kdc slipped in during PKINIT resync.
- Question for Simo -- are you going to work on interposing mechglue plugins?
- Yes. Discussed with Nico. Had some ideas. Clearly not wanting to intercept SPNEGO yet. Mechglue needs to know about interposer per OID / plugin.
- How does mechglue locate the plugins? Existing conf file?
- Turning krb5 mech into loadable?
- ... still could be static. Interposer could be runtime loaded.
- Mech only ever sees its own context handles. App always sees mechglue handles.
Simo asks about designated error code for interposer to return to signal mechglue to do special things. Tom says it should probably go through IETF, and to keep in mind the "bitfield" nature of the major status code.