iprop_iprop_replica_poll=2m default...
Tareq Alrashid
tareq at qerat.com
Thu Jan 9 11:32:45 EST 2020
Thanks Greg.
Final question if there is any negative impact for having replicas poll at
often as one second or maybe it is best to be at higher numbers of seconds?
On Thu, Jan 9, 2020 at 11:24 Greg Hudson <ghudson at mit.edu> wrote:
> On 1/8/20 1:38 PM, Tareq Alrashid wrote:
> > How can we make it as close to realtime as possible?
> > what is the smallest value possible we can assign?
>
> You can assign a value as low as one second.
>
> > Master receives a newly provisioned user, or new password change/reset,
> and since we live in the instant-gratification times, users attempt to
> login onto services that configured to authenticate against replica servers
> which of course have not been propagated to yet…. failed login => open a
> help desk ticket…etc. waste of time and frustration.
>
> You could try configuring a master_kdc value in krb5.conf on the clients
> (or, if you use DNS, adding _kerberos-master._udp.realm and
> _kerberos-master._tcp.realm records). If these are present, kinit will
> retry with the master KDC if it gets an error from the first KDC it
> tries, if the error could have resulted from propagation not having
> happened yet.
>
More information about the Kerberos
mailing list