Ticket 5338: Race conditions in key rotation
Nicolas Williams
Nicolas.Williams at sun.com
Tue Jun 24 12:58:44 EDT 2008
On Tue, Jun 24, 2008 at 12:46:31PM -0400, Jeffrey Altman wrote:
> Jeffrey Hutzelman wrote:
> >The presumption here is that there _is_ a "master" which is "more
> >definitive".
> For MIT Kerberos the introduction of "master_kdc" says exactly that.
> There is in fact a master and that master is more definitive. That is
> how the clients already work when it comes to AS requests. Our
> proposal is to extend that behavior to TGS requests.
>
> If there is no defined master, then there is no master to fallback to.
I think this has to default to off. TGS requests usually outnumber AS
requests by a fair amount. I don't think the client should begin to
behave in a way that seriously challenges the KDC infrastructure
performance assumptions made by sysadmins in the past.
Nico
--
More information about the krbdev
mailing list