kerberos password change in master-slave environ
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed Mar 24 14:38:09 EST 2004
>Changing is every 5 minutes still means you can't really login or do
>anything until after 5 minutes have passed. And what do you do when your
>password database is several megs and takes 2 or 3 minutes to transfer?
I think you're making a mountain of a molehill here. It actually works
pretty well in practice. There are three key things that you're missing:
- People generally configure their KDCs so that queries go to the master
first. Thus, you're almost always talking to the up-to-date KDC.
- The MIT client code will requery the master KDC if it determined that
there was an error and it talked to a slave KDC.
- It only matters for the initial ticket; if you've already got a TGT,
it doesn't matter if your key has changed.
(Speaking as someone who deals with password changing issues very frequently).
I'm not saying multi-master isn't desirable, but for the average realm, you
can live without it. For a larger realm, (in the tens of thousands of
principals) having incremental propagation probably takes care of the
issues you have with DB propagation.
--Ken
More information about the Kerberos
mailing list