kerberos password change in master-slave environ

[Digant Kasundra]

I STAND CORRECTED (AGAIN!!!)  Well, looks like you *CAN* specify a kpasswd
server in Windows XP and 2003.  This should be sufficient.

-----Original Message-----
From: Ken Hornstein
To: Digant Kasundra
Cc: ''Subu Ayyagari ' '; ''kerberos at mit.edu ' '
Sent: 3/24/2004 2:17 PM
Subject: Re: kerberos password change in master-slave environ 

>Our realm has 43,000+ principals so for us, its a big deal. :)  We have
>slaves not only for redundancy, but also for load balancing.  We don't
want
>all the users on our campus authenticating or changing passwords
against
>just one machine.  

With ticket caching, the load against one KDC hasn't been really that
bad,
from my experience.

>With Unix and Linux, this one master setup isn't too bad b/c you can
tell
>clients to auth against a slave and do password changes against the
master.
>But with "dumb" implementations, like Microsoft, it assumes a KDC is a
KDC
>is a KDC: one machine that will handle both.  So we have a situation
where
>our slaves will need to be able to handle password changes, or every
windows
>box talks to the master, or some third option (that we are still hoping
to
>find).

Hm, I'm not sure that's correct.  If you're using the DNS SRV records,
you
should be able to specify KDC priority and kpasswd service locations
(although
I don't actually know if the MS Kerberos implementation uses the kpasswd
DNS SRV record).

--Ken