iprop_iprop_replica_poll=2m default...

[Tareq Alrashid]

> You can assign a value as low as one second.

Maybe I am missing something but changing the kdc.conf to any value...

iprop_replica_poll=1s 
or even...
iprop_replica_poll   = 0.016666666666667m
 (for 1s= 1/60min!)

Based on tailing the kadmind.log, it is showing the replica polling every 2m!?


> On Jan 9, 2020, at 11:32 AM, Tareq Alrashid <tareq at qerat.com> wrote:
> 
> Thanks Greg. 
> Final question if there is any negative impact for having replicas poll at often as one second or maybe it is best to be at higher numbers of seconds?
> 
> On Thu, Jan 9, 2020 at 11:24 Greg Hudson <ghudson at mit.edu <mailto:ghudson at mit.edu>> wrote:
> On 1/8/20 1:38 PM, Tareq Alrashid wrote:
> > How can we make it as close to realtime as possible? 
> > what is the smallest value possible we can assign?
> 
> You can assign a value as low as one second.
> 
> > Master receives a newly provisioned user, or new password change/reset, and since we live in the instant-gratification times, users attempt to login onto services that configured to authenticate against replica servers which of course have not been propagated to yet…. failed login => open a help desk ticket…etc. waste of time and frustration.
> 
> You could try configuring a master_kdc value in krb5.conf on the clients
> (or, if you use DNS, adding _kerberos-master._udp.realm and
> _kerberos-master._tcp.realm records).  If these are present, kinit will
> retry with the master KDC if it gets an error from the first KDC it
> tries, if the error could have resulted from propagation not having
> happened yet.