New "feature" for Kerberos?

John Hascall john at
Tue Nov 12 14:15:01 EST 2002

> Quoth John Hascall <john at>:
> ...
> | Random thoughts:
> |    + Obviously, this requires the REQUIRES_PRE_AUTH attribute,
> |      and ./configure --with-kdc-kdb-update

> That has been the kicker when anything has come up around here involving
> attempt histories.  Everyone likes the idea that the KDC database mostly
> reads and rarely writes, and no one wants to turn that around.

  Measurements that I have done, and similar ones done at
  U Mich show only a small performance hit from turning on

> And then we have multiple KDCs, which would have to be taken into account.

  IMO, w/o a "real-time" replication (like U Mich developed)
  the only possible use for slaves is disaster recovery,
  (which is how we use ours), so this concerns me not.

  [We've had 500 password changes in an hours upon
  ocassion, kproping twice a day doesn't really capture
  that very well if somebody is "load balanced" to
  the slave.]


More information about the krbdev mailing list