Multi-master KDCs

Sam Hartman hartmans at MIT.EDU
Wed Mar 24 15:03:10 EST 2004


>>>>> "Digant" == Digant Kasundra <digant at uta.edu> writes:

    Digant> Hello everyone,
    Digant> Does MIT Kerberos support multimaster KDCs?  

No.  The Apple password server, based on MIT Kerberos claims to
support multi-master operation though.

Also, Umich has patches to add incremental propagation support to MIT
Kerberos.  MIt has decided not to accept these patches, but they are
available to the community.

    Digant> Does Heimdal?  

No, although they do have much better incremental propagation than MIT
does in the current release.

    Digant> By multimaster,
    Digant> I mean that I'm looking for functionality similar to Windows AD/Kerberos,
    Digant> where any DC can accept a password change and it can replicate that change
    Digant> to the other DCs.  To me, the current approach of having  only the master
    Digant> take changes and then sending a copy of the entire db to the slaves is too
    Digant> clunky and unelegant.


Not having incremental propagation support for database changes is a
problem for MIT Kerberos in some environments; it is a problem we'd
like to fix.  Transferring the entire database can be expensive over
some network links.

There are a few environments where multi-master is a requirement.  But
getting multi-master right is hard and so far has not been worth the
necessary time for either Heimdal or MIT Kerberos.

I believe that people have evaluated the incremental propagation
solutions with an assumption that some day they may need to support multi-master.




More information about the Kerberos mailing list