KRBCONF_KDC_MODIFIES_KDB
John Hascall
john at iastate.edu
Wed Jan 14 21:31:22 EST 2004
> > It's not really a locking issue. If all the appropriate
> > options are turned on, the code enforces a
> > five-strikes-and-you-are-out policy.
> > If you have 3 KDCs, you can get 15 tries at each principal
> > because each will give you 5. Or with N slaves I think you
> > can get (N * 5) attempts per replication period (attack the
> > slaves and then the master will overwrite them and you can do
> > it again).
> > This is a minor concern.
> > In any event, I think it is fairly common for big sites to do
> > some sort of 'near realtime' incremental replication rather
> > than the bulk kprop thingy.
> And I suppose a more pertinent question is if you're using the
> U. of Michigan patches for replication, should you expect 5 tries,
> 15 or somewhere inbetween or perhaps a corrupt/inconsistant db?
We're using our own replicator, but I think it is similar.
We only replicate from master to slaves, so if you did the
slaves first you could get 15. I don't really care though,
our KDCs can do 1000 attempts/sec - that's what I'm looking
to stop.
John
More information about the krbdev
mailing list