[ https://issues.apache.org/jira/browse/AMBARI-20586?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15943630#comment-15943630 ]
Robert Levas commented on AMBARI-20586: --------------------------------------- [~bsari] {quote} Add (optional) master_kdcs to kerberos-env and generated krb5.conf file. If kerberos-env/master_kdcs is not empty, it should contain a list of IP addresses or FQDNs for one or more KDCs. Multiple entries should be comma-delimited. {quote} I cannot find any examples where multiple master KDCs are allowed... so maybe this should only support a single master KDC for now; and, if needed, the feature can be expanded to allow for multiple master KDCs. > Add (optional) master_kdcs to kerberos-env and generated krb5.conf file > ----------------------------------------------------------------------- > > Key: AMBARI-20586 > URL: https://issues.apache.org/jira/browse/AMBARI-20586 > Project: Ambari > Issue Type: Bug > Reporter: Balázs Bence Sári > Assignee: Balázs Bence Sári > Fix For: 3.0.0, 2.5.1 > > Attachments: AMBARI-20586-Master-kdc_trunk_v2.patch > > > Add (optional) {{master_kdcs}} to {{kerberos-env}} and generated krb5.conf > file. If {{kerberos-env/master_kdcs}} is not empty, it should contain a list > of IP addresses or FQDNs for one or more KDCs. Multiple entries should be > comma-delimited. > According to > https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html: > {quote} > master_kdc > Identifies the master KDC(s). Currently, this tag is used in only one case: > If an attempt to get credentials fails because of an invalid password, the > client software will attempt to contact the master KDC, in case the user’s > password has just been changed, and the updated database has not been > propagated to the slave servers yet. > {quote} > This should help with scenarios where multiple KDCs are in a master/slave (or > replicated) configuration. -- This message was sent by Atlassian JIRA (v6.3.15#6346)