kerberos password change in master-slave environ

Ken Hornstein kenh at cmf.nrl.navy.mil
Wed Mar 24 15:17:02 EST 2004


>Our realm has 43,000+ principals so for us, its a big deal. :)  We have
>slaves not only for redundancy, but also for load balancing.  We don't want
>all the users on our campus authenticating or changing passwords against
>just one machine.  

With ticket caching, the load against one KDC hasn't been really that bad,
from my experience.

>With Unix and Linux, this one master setup isn't too bad b/c you can tell
>clients to auth against a slave and do password changes against the master.
>But with "dumb" implementations, like Microsoft, it assumes a KDC is a KDC
>is a KDC: one machine that will handle both.  So we have a situation where
>our slaves will need to be able to handle password changes, or every windows
>box talks to the master, or some third option (that we are still hoping to
>find).

Hm, I'm not sure that's correct.  If you're using the DNS SRV records, you
should be able to specify KDC priority and kpasswd service locations (although
I don't actually know if the MS Kerberos implementation uses the kpasswd
DNS SRV record).

--Ken


More information about the Kerberos mailing list