kerberos password change in master-slave environ

Ben Staffin staffin at uiuc.edu
Wed Mar 24 16:22:19 EST 2004


* Digant Kasundra <digant at uta.edu> [2004-03-24 15:02] wibbled:
> >I'm not saying multi-master isn't desirable, but for the average realm,
> >you
> >can live without it.  For a larger realm, (in the tens of thousands of
> >principals) having incremental propagation probably takes care of the
> >issues you have with DB propagation.
> 
> Our realm has 43,000+ principals so for us, its a big deal. :)  We have
> slaves not only for redundancy, but also for load balancing.  We don't want
> all the users on our campus authenticating or changing passwords against
> just one machine.  

The installation on my campus has on the order of 100,000 principals,
and there are two kerberos servers: one master and one slave.  They are
both, I believe, ibm 43p/150 at 375mhz machines, and there is not a load
problem.  I'm not a campus-level kerberos admin, however, so I am not an
authority on the matter.

> With Unix and Linux, this one master setup isn't too bad b/c you can tell
> clients to auth against a slave and do password changes against the master.
> But with "dumb" implementations, like Microsoft, it assumes a KDC is a KDC
> is a KDC: one machine that will handle both.  So we have a situation where
> our slaves will need to be able to handle password changes, or every windows
> box talks to the master, or some third option (that we are still hoping to
> find).
> 
> And incremental propagation would definately take care of that problem.  So
> where is it?  I found some outdated information and patches for krepd but
> little else.  Although I do know Heimdal supports it (which is nice).

-- 
/--
| Ben Staffin
  perpetual nerd  |
                --/


More information about the Kerberos mailing list