On 10/29/20 2:13 PM, Paul B. Henson wrote: > In the krb5.conf file, you can specify kdc's statically, but there is no > mechanism for prioritizing them or indicating which ones should be tried > first.
In the MIT krb5 implementation, they are tried in the order specified, with a 1s delay in between. I can't speak to the Java implementation, unfortunately. > You can also specify one or more master_kdc's, but based on the > documentation those are only accessed in the case of a password failure > on one of the regular kdc entries? If, hypothetically, all of the > regular kdc entries timeout, would the master_kdc entries still be used, > or would the request simply fail at that point with an unreachable kdc > error? The request would fail with an unreachable error, in the MIT implementation. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
