Determening the number of clients per KDC

[Russ Allbery]

Sergei Gerasenko <gerases at gmail.com> writes:

> Will keeping an access log slow me down much, do you know?

Yes, you may want to tune syslog or whatever you're using for your KDC
logging, although MIT is a lot better than Heimdal in that regard (Heimdal
is very verbose).  I generally disabled sync to disk on the syslog log
file that the KDC logging was routed to.

> For that matter, is there a benchmarking tool for KDCs?

Not that I'm aware of.  I usually just rolled my own by calling kinit with
a keytab and then kvno to get service tickets.

> Ok, it’s just that I see everywhere
> (e.g. https://en.wikipedia.org/wiki/Kerberos_(protocol)
> <https://en.wikipedia.org/wiki/Kerberos_(protocol)>) that the initial
> TGT response includes a session key that the host and the service server
> will share. So that’s what got me thinking that once a TGT is retrieved,
> the client should request a service ticket using the same KDC. But like
> I said, I’m total newb.

The TGT contains both the session key and a copy of the session key
encrypted in the KDC's private key, which is shared between all of the
KDCs as part of the normal database, and the client always provides that
encrypted copy of the key back in subsequent protocol exchanges.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>