iprop_iprop_replica_poll=2m default...

Kenneth MacDonald Kenneth.MacDonald at ed.ac.uk
Thu Jan 9 11:09:51 EST 2020


Ah, OK.  I cannot answer whether 2m is the minumum value.

Cheers,

Kenny.

On Thu, 2020-01-09 at 09:26 -0500, Tareq Alrashid wrote:
> Thanks for the reply, Kenny.
> 
> I have left out an important detail, on campus of course all is
> configured to master KDC first, the kerb2/kerb3…etc., no problem.
> 
> This affects users of our clouds services, for example in AWS where
> we have duplicated all/most of our infrastructure services, if a user
> changes her password using our web tools against master KDC on
> campus, said user will not able to login immediately until changes
> are replicated out to the replica Kerberos servers in AWS. Granted 2m
> is not long, but this reason for asking in the first place to see if
> 2m is the shorted time delta allowed.
> 
> Thanks,
> Tareq
> 
> > On Jan 9, 2020, at 4:11 AM, Kenneth MacDonald <
> > Kenneth.MacDonald at ed.ac.uk> wrote:
> > 
> > On Wed, 2020-01-08 at 13:38 -0500, Tareq Alrashid wrote:
> > > How can we make it as close to realtime as possible? 
> > > what is the smallest value possible we can assign?
> > > 
> > > Background:
> > > 
> > > Master receives a newly provisioned user, or new password
> > > change/reset, and since we live in the instant-gratification
> > > times,
> > > users attempt to login onto services that configured to
> > > authenticate
> > > against replica servers which of course have not been propagated
> > > to
> > > yet…. failed login => open a help desk ticket…etc. waste of time
> > > and
> > > frustration.
> > > 
> > > How do you all deal with the latency in your hi-ed environment? 
> > > 
> > > HNY! Thanks for any insights 
> > 
> > We haven't reduced the polling interval, but have configured our
> > web
> > single sign on hosts to authenticate against our master KDC in
> > preference to the slaves by listing their IP addresses in order in
> > /etc/krb5.conf.
> > 
> > Cheers,
> > 
> > Kenny.
> > 
> > 
> > 
> > 
> > 
> > -- 
> > The University of Edinburgh is a charitable body, registered in
> > Scotland, with registration number SC005336.
> > 
> 
> 



More information about the Kerberos mailing list