[COLUG] PAM_Kerberos Logistics issue

[Stephen Nordlund]

Problem:
       The krb5.conf file supports multiple kdc's but there does not
appear to be a naitive wait to maintain the kdc list whether its
multiple realms or even just a single realm.


Example(krb5.conf):

[realms]
EXAMPLE.COM = {
kdc = kdc1.example.com:88
kdc = kdc2.example.com:88
admin_server = kdc1.example.com:749
kpasswd_server = kdc1.example.com:464
kpasswd_protocol = SET_CHANGE
default_domain = example.com
}

I have contemplated writing my own krb5.conf build tool, that would run on
somesort of timed basis.  The build tool would that do a query out to the
DNS servers and pull back all the SRV records for _kerberos._tcp.<domain>

#dig -t ANY _kerberos._tcp.<domain> | grep SRV | awk '{print "kdc = "$8
$7}'|sed s/<domain>./<domain>:/

but I would think this would be an issue faced by any administrator
working on kerberos.  Who wants to maintain a file especially one where
the otherside is an MS domain controller that may change with the wind! 
Just in the one domain I'm in there are 17 kdc's and there could be 15
tomorrow and I would never know.