John Hascall john at
Wed Jan 14 18:59:28 EST 2004

> >     Wachdorf,> I know that the define KRBCONF_KDC_MODIFIES_KDB can be
> >     Wachdorf,> used to blacklist users by writing to the kdb every
> >     Wachdorf,> time a user enters an incorrect password.  The comments
> >     Wachdorf,> in the code indicate that this cannot be used with
> >     Wachdorf,> replication.  Why is that the case?

> > Well, our KDC will not replicate the information very effectively so
> > you get more tries than you strictly should.

> Is there a problem beyond that due to locking?  If I were to replicate a
> large amount of users, would the db be locked that whole time?  Would this
> lock out the kdc?

It's not really a locking issue.  If all the appropriate options are
turned on, the code enforces a five-strikes-and-you-are-out policy.
If you have 3 KDCs, you can get 15 tries at each principal because
each will give you 5.  Or with N slaves I think you can get (N * 5)
attempts per replication period (attack the slaves and then the master
will overwrite them and you can do it again).

This is a minor concern.

In any event, I think it is fairly common for big sites to do some
sort of 'near realtime' incremental replication rather than the
bulk kprop thingy.


More information about the krbdev mailing list