iprop_iprop_replica_poll=2m default...

Greg Hudson ghudson at mit.edu
Thu Jan 9 11:24:33 EST 2020


On 1/8/20 1:38 PM, Tareq Alrashid wrote:
> How can we make it as close to realtime as possible? 
> what is the smallest value possible we can assign?

You can assign a value as low as one second.

> Master receives a newly provisioned user, or new password change/reset, and since we live in the instant-gratification times, users attempt to login onto services that configured to authenticate against replica servers which of course have not been propagated to yet…. failed login => open a help desk ticket…etc. waste of time and frustration.

You could try configuring a master_kdc value in krb5.conf on the clients
(or, if you use DNS, adding _kerberos-master._udp.realm and
_kerberos-master._tcp.realm records).  If these are present, kinit will
retry with the master KDC if it gets an error from the first KDC it
tries, if the error could have resulted from propagation not having
happened yet.


More information about the Kerberos mailing list