scaling problems

Ken Hornstein kenh at cmf.nrl.navy.mil
Wed Apr 14 13:05:24 EDT 2004


>So, logical consequence is that master must answer all TGT requests. 

There are two things missing here.

The user's password is only required for AS requests.  You don't need the
user's password for TGS requests, which are the vast majority of Kerberos
requests.

At least one major Kerberos implementation (MIT) will go out of the way
to contact a master KDC if got an error from an AS_REQ to a slave (MIT).
I don't know if Heimdal has this functionality or not.

Two more things:

- A hour a long time to wait for password updates between KDCs.  Mine is
  set to 5 minutes.

- I don't actually do load balancing between my KDCs, but the load on them
  is so light, I never notice a problem.

--Ken


More information about the Kerberos mailing list