logo_kerberos.gif

Release Meeting Minutes/2012-04-10

From K5Wiki
Jump to: navigation, search


Will Fiveash, Thomas Hardjono, Greg Hudson, Simo Sorce, Zhanna Tsitkov, Tom Yu

Master KDC location

Will
Sam's idea of compile-time setting of default fallback behavior.
Greg
Question re Solaris behavior. OpenSolaris says comment to unconditionally use admin_server instead of using as filter on hostnames.
Will
Behavior experiments. No fallback to admin server.
Greg
Knowing Solaris behavior would be useful. 1.3.1 and earlier never uses kerberos_adm from DNS. Admin server runs on a different port -- hostname filter. In 1.3.2 changed behavior so profile setting for master KDC had to be explicitly configured to get any fallback behavior. But we always query krb_master SRV record. People would set up AD... so in config file they'd put KDC and admin_server entries. 2 counts against lockout if you type a wrong password. So in AD you could have no masters because every KDC would be in sync.
Tom
All your scenarios involve no SRV record lookup?
Will
Yes. Solaris support for master_kdc slipped in during PKINIT resync.
Greg
Question for Simo -- are you going to work on interposing mechglue plugins?
Simo
Yes. Discussed with Nico. Had some ideas. Clearly not wanting to intercept SPNEGO yet. Mechglue needs to know about interposer per OID / plugin.
Greg
How does mechglue locate the plugins? Existing conf file?
Simo
Yes.
Greg
Turning krb5 mech into loadable?
Simo
... still could be static. Interposer could be runtime loaded.
Tom
Mech only ever sees its own context handles. App always sees mechglue handles.

Simo asks about designated error code for interposer to return to signal mechglue to do special things. Tom says it should probably go through IETF, and to keep in mind the "bitfield" nature of the major status code.