KDC query client performance

Sam Hartman hartmans at MIT.EDU
Mon Feb 14 19:34:51 EST 2011

>>>>> "Simo" == Simo Sorce <ssorce at redhat.com> writes:

    Simo> On Mon, 14 Feb 2011 18:35:14 +0000
    Simo> "Roland C. Dowdeswell" <elric at imrryr.org> wrote:

> Also, it might be a better idea in the longer term to write a little
    >> daemon that runs as root, listens on a UNIX domain socket and
    >> accepts requests from the krb5 libs to have conversations with
    >> various KDCs.  The advantage of this would be that this daemon
    >> could keep track of which KDCs are up and perhaps even keep track
    >> of which ones answer the quickest (and are therefore likely the
    >> closest), etc.

    Simo> You can do this separately by creating a locator plugin.
    Simo> That's what we do with the SSSD project at least, so that the
    Simo> sssd daemon does the discovery and just tells the krb5 libs
    Simo> what is the ip address to use for the KDC.

Yes, but I think that this is important enough to Kerberos performance
that someone should really do this separately from SSSD.  If you're
going to use SSSD, or some full infrastructure, you'll use their KDC
locator.  However, you really want this service.  All the time. Even if
you just want a Kerberos client.

More information about the krbdev mailing list