New "feature" for Kerberos?
John Hascall
john at iastate.edu
Tue Nov 12 14:15:01 EST 2002
> Quoth John Hascall <john at iastate.edu>:
> ...
> | Random thoughts:
> | + Obviously, this requires the REQUIRES_PRE_AUTH attribute,
> | and ./configure --with-kdc-kdb-update
> That has been the kicker when anything has come up around here involving
> attempt histories. Everyone likes the idea that the KDC database mostly
> reads and rarely writes, and no one wants to turn that around.
Measurements that I have done, and similar ones done at
U Mich show only a small performance hit from turning on
with-kdc-kdb-update.
> And then we have multiple KDCs, which would have to be taken into account.
IMO, w/o a "real-time" replication (like U Mich developed)
the only possible use for slaves is disaster recovery,
(which is how we use ours), so this concerns me not.
[We've had 500 password changes in an hours upon
ocassion, kproping twice a day doesn't really capture
that very well if somebody is "load balanced" to
the slave.]
John
More information about the krbdev
mailing list