KDC performance test - lookaside cache impact, testing framework
Greg Hudson
ghudson at MIT.EDU
Mon Jun 18 11:45:12 EDT 2012
On 06/18/2012 11:32 AM, Roland C. Dowdeswell wrote:
> Given that many OTP services perform lockouts, it seems to me that
> (if one can't turn off that rather unhelpful behaviour) perhaps
> the solution will have to be a bit more complicated than a per-KDC
> lookaside cache.
The way we've historically handled this with pa-sam-2 is for the KDC to
drop the request (not even replying with an error) if it detects that
it's not the same KDC as the one which generated the preauth-required
response.
(On the client end, we'd like to make libkrb5 "stick" to the KDC address
which generated the preauth-required response. That's a bit of a
technical challenge. It also doesn't help when there are network load
balancers or KDC worker processes involved.)
More information about the krbdev
mailing list