kerberos password change in master-slave environ
Digant Kasundra
digant at uta.edu
Wed Mar 24 15:04:07 EST 2004
>I'm not saying multi-master isn't desirable, but for the average realm,
>you
>can live without it. For a larger realm, (in the tens of thousands of
>principals) having incremental propagation probably takes care of the
>issues you have with DB propagation.
Our realm has 43,000+ principals so for us, its a big deal. :) We have
slaves not only for redundancy, but also for load balancing. We don't want
all the users on our campus authenticating or changing passwords against
just one machine.
With Unix and Linux, this one master setup isn't too bad b/c you can tell
clients to auth against a slave and do password changes against the master.
But with "dumb" implementations, like Microsoft, it assumes a KDC is a KDC
is a KDC: one machine that will handle both. So we have a situation where
our slaves will need to be able to handle password changes, or every windows
box talks to the master, or some third option (that we are still hoping to
find).
And incremental propagation would definately take care of that problem. So
where is it? I found some outdated information and patches for krepd but
little else. Although I do know Heimdal supports it (which is nice).
-- DK
More information about the Kerberos
mailing list