Kerberos Propagation question

Ken Raeburn raeburn at MIT.EDU
Tue Sep 7 15:30:31 EDT 2010


On Sep 7, 2010, at 15:06, Pax Industria wrote:
> Hi,
> 
> A colleague asked recently if   KDC's could replicate more frequently,  his
> suggestion was every 3 minutes. That seemed as though it could have adverse
> effects on the KDC's but i couldn't find anything in the  docs on a best
> practice for how frequently / infrequently to replicate the database. I seem
> to recall that propagation locks the DB, but I wasn't able to find a
> reference to it. (I  could have made it up..., or maybe I just didn't see it
> in the docs) Would pushing the database out that frequently be problematic?

A full dump briefly locks the database against updates while it writes out a text version, but then the propagation is done with the text version, and the database is unlocked, so changes can be made.  For very large databases, though, the full dump-copy-load sequence can take a while.

However, in recent versions of MIT's code, there's an incremental propagation mode contributed by Sun which can send updates much more efficiently, and only uses full propagation when necessary.  If you wish to keep your KDCs very closely in sync I suggest you look at using that mode, especially if you have a large database.

> Besides increased load on the system could that have adverse effect on
> admin's working on the database?

It shouldn't, at least with the incremental propagation code in use.

Ken


-- 
Ken Raeburn / raeburn at mit.edu
NOT working or speaking for the MIT Kerberos Consortium





More information about the Kerberos mailing list