kerberos password change in master-slave environ
Ken Hornstein
kenh at cmf.nrl.navy.mil
Wed Mar 24 15:17:02 EST 2004
>Our realm has 43,000+ principals so for us, its a big deal. :) We have
>slaves not only for redundancy, but also for load balancing. We don't want
>all the users on our campus authenticating or changing passwords against
>just one machine.
With ticket caching, the load against one KDC hasn't been really that bad,
from my experience.
>With Unix and Linux, this one master setup isn't too bad b/c you can tell
>clients to auth against a slave and do password changes against the master.
>But with "dumb" implementations, like Microsoft, it assumes a KDC is a KDC
>is a KDC: one machine that will handle both. So we have a situation where
>our slaves will need to be able to handle password changes, or every windows
>box talks to the master, or some third option (that we are still hoping to
>find).
Hm, I'm not sure that's correct. If you're using the DNS SRV records, you
should be able to specify KDC priority and kpasswd service locations (although
I don't actually know if the MS Kerberos implementation uses the kpasswd
DNS SRV record).
--Ken
More information about the Kerberos
mailing list