scaling problems
John Hascall
john at iastate.edu
Wed Apr 14 14:26:33 EDT 2004
Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
> >So, logical consequence is that master must answer all TGT requests.
> Two more things:
> - A hour a long time to wait for password updates between KDCs. Mine is
> set to 5 minutes.
If you are a big site (tens of thousands of principals),
this is probably not an option. Most of us in that
category have invented or adopted some sort of incremental
update scheme.
> - I don't actually do load balancing between my KDCs, but the load on them
> is so light, I never notice a problem.
I think it would take a combination of a pretty big site and
a pretty lame server for anyone to notice a load problem (ours
ran on an 8Mhz DECstation for years!) I think the most common
reasons for a slave KDC are:
* reliability (if your main server coughs up a motherboard or ...)
* slow or unreliable networks (e.g., the podunk branch office problem)
John
More information about the Kerberos
mailing list