kerberos password change in master-slave environ
Digant Kasundra
digant at uta.edu
Wed Mar 24 15:05:53 EST 2004
I STAND CORRECTED! (on the incremental replication stuff, atleast). I just
got an email with an updated link:
http://www.citi.umich.edu/u/kwc/krb5stuff/replication.html
-----Original Message-----
From: Digant Kasundra
To: 'Ken Hornstein '; Digant Kasundra
Cc: ''Subu Ayyagari ' '; ''kerberos at mit.edu ' '
Sent: 3/24/2004 2:04 PM
Subject: RE: kerberos password change in master-slave environ
>I'm not saying multi-master isn't desirable, but for the average realm,
>you
>can live without it. For a larger realm, (in the tens of thousands of
>principals) having incremental propagation probably takes care of the
>issues you have with DB propagation.
Our realm has 43,000+ principals so for us, its a big deal. :) We have
slaves not only for redundancy, but also for load balancing. We don't
want all the users on our campus authenticating or changing passwords
against just one machine.
With Unix and Linux, this one master setup isn't too bad b/c you can
tell clients to auth against a slave and do password changes against the
master. But with "dumb" implementations, like Microsoft, it assumes a
KDC is a KDC is a KDC: one machine that will handle both. So we have a
situation where our slaves will need to be able to handle password
changes, or every windows box talks to the master, or some third option
(that we are still hoping to find).
And incremental propagation would definately take care of that problem.
So where is it? I found some outdated information and patches for krepd
but little else. Although I do know Heimdal supports it (which is
nice).
-- DK
More information about the Kerberos
mailing list