scaling problems
denis.havlik@t-mobile.at
denis.havlik at t-mobile.at
Wed Apr 14 12:36:22 EDT 2004
Hi, folks
I'm trying to figure out how the load balancing with kerberos works, and I
simply don't get it. From what I've learned so far, I figure that MIT
kerberos is meant to be used as a single server, with one failback slave
server that usually doesn't answer any requests. This doesn't make sense
to me, but I'll explain why I've come to this conclusion:
1) Master KDC propagates the DB change to slaves once in a while.
according to "Kerberos the definitive guide", this interval is usually 1
hour.
2) Users wouldn't be happy if they were unable to login one hour every
time they change password.
So, logical consequence is that master must answer all TGT requests.
Having a slave around in case master dies is better than nothing, but
slave should never get the TGT requests as long as the master is alive.
3) Slave could answer requests from clients that already have a TGT, but I
don't see any configuration option that woudl tell the client "ask server
A for a TGT, but go to server B for all further operations".
So logically, slave server(s) can only be used as a fallback, and can't be
used for load balancing purpose.
OK, I'm sure I've misunderstood something, please tell me what. :-)
thx
Denis
--
T-Mobile Austria GmbH,
Information Technologies / Services
Knowledge Management & Process Automation
Dr. Denis Havlik, eMail:
denis.havlik at t-mobile.at
Rennweg 97-99, BT2E0304031 Phone: +43-1-79-585/6237
A-1030 Vienna Fax:
+43-1-79-585/6584
More information about the Kerberos
mailing list