kerberos password change in master-slave environ

Ken Hornstein kenh at cmf.nrl.navy.mil
Wed Mar 24 14:38:09 EST 2004


>Changing is every 5 minutes still means you can't really login or do
>anything until after 5 minutes have passed.  And what do you do when your
>password database is several megs and takes 2 or 3 minutes to transfer?  

I think you're making a mountain of a molehill here.  It actually works
pretty well in practice.  There are three key things that you're missing:

- People generally configure their KDCs so that queries go to the master
  first.  Thus, you're almost always talking to the up-to-date KDC.
- The MIT client code will requery the master KDC if it determined that
  there was an error and it talked to a slave KDC.
- It only matters for the initial ticket; if you've already got a TGT,
  it doesn't matter if your key has changed.

(Speaking as someone who deals with password changing issues very frequently).

I'm not saying multi-master isn't desirable, but for the average realm, you
can live without it.  For a larger realm, (in the tens of thousands of
principals) having incremental propagation probably takes care of the
issues you have with DB propagation.

--Ken


More information about the Kerberos mailing list