iprop_iprop_replica_poll=2m default...
Tareq Alrashid
tareq at qerat.com
Thu Jan 9 09:26:40 EST 2020
Thanks for the reply, Kenny.
I have left out an important detail, on campus of course all is configured to master KDC first, the kerb2/kerb3…etc., no problem.
This affects users of our clouds services, for example in AWS where we have duplicated all/most of our infrastructure services, if a user changes her password using our web tools against master KDC on campus, said user will not able to login immediately until changes are replicated out to the replica Kerberos servers in AWS. Granted 2m is not long, but this reason for asking in the first place to see if 2m is the shorted time delta allowed.
Thanks,
Tareq
> On Jan 9, 2020, at 4:11 AM, Kenneth MacDonald <Kenneth.MacDonald at ed.ac.uk> wrote:
>
> On Wed, 2020-01-08 at 13:38 -0500, Tareq Alrashid wrote:
>> How can we make it as close to realtime as possible?
>> what is the smallest value possible we can assign?
>>
>> Background:
>>
>> Master receives a newly provisioned user, or new password
>> change/reset, and since we live in the instant-gratification times,
>> users attempt to login onto services that configured to authenticate
>> against replica servers which of course have not been propagated to
>> yet…. failed login => open a help desk ticket…etc. waste of time and
>> frustration.
>>
>> How do you all deal with the latency in your hi-ed environment?
>>
>> HNY! Thanks for any insights
>
> We haven't reduced the polling interval, but have configured our web
> single sign on hosts to authenticate against our master KDC in
> preference to the slaves by listing their IP addresses in order in
> /etc/krb5.conf.
>
> Cheers,
>
> Kenny.
>
>
>
>
>
> --
> The University of Edinburgh is a charitable body, registered in
> Scotland, with registration number SC005336.
>
More information about the Kerberos
mailing list