scaling problems

denis.havlik@t-mobile.at denis.havlik at t-mobile.at
Wed Apr 14 12:36:22 EDT 2004


Hi, folks

I'm trying to figure out how the load balancing with kerberos works, and I 
simply don't get it. From what I've learned so far, I figure that MIT 
kerberos is meant to be used as a single server, with one failback slave 
server that usually doesn't answer any requests. This doesn't make sense 
to me, but I'll explain why I've come to this conclusion:

1) Master KDC propagates the DB change to slaves once in a while. 
according to "Kerberos the definitive guide", this interval is usually 1 
hour.
2) Users wouldn't be happy if they were unable to login one hour every 
time they change password. 

So, logical consequence is that master must answer all TGT requests. 
Having a slave around in case master dies is better than nothing, but 
slave should never get the TGT requests as long as the master is alive.

3) Slave could answer requests from clients that already have a TGT, but I 
don't see any configuration option that woudl tell the client "ask server 
A for a TGT, but go to server B for all further operations". 

So logically, slave server(s) can only be used as a fallback, and can't be 
used for load balancing purpose. 

OK, I'm sure I've misunderstood something, please tell me what. :-)

thx
        Denis
--
T-Mobile Austria GmbH,
Information Technologies / Services
Knowledge Management & Process Automation

Dr. Denis Havlik,                                   eMail: 
denis.havlik at t-mobile.at
Rennweg 97-99, BT2E0304031        Phone: +43-1-79-585/6237 
A-1030 Vienna                                        Fax: 
+43-1-79-585/6584



More information about the Kerberos mailing list