>Our realm has 43,000+ principals so for us, its a big deal. :) We have >slaves not only for redundancy, but also for load balancing. We don't want >all the users on our campus authenticating or changing passwords against >just one machine.
With ticket caching, the load against one KDC hasn't been really that bad, from my experience. >With Unix and Linux, this one master setup isn't too bad b/c you can tell >clients to auth against a slave and do password changes against the master. >But with "dumb" implementations, like Microsoft, it assumes a KDC is a KDC >is a KDC: one machine that will handle both. So we have a situation where >our slaves will need to be able to handle password changes, or every windows >box talks to the master, or some third option (that we are still hoping to >find). Hm, I'm not sure that's correct. If you're using the DNS SRV records, you should be able to specify KDC priority and kpasswd service locations (although I don't actually know if the MS Kerberos implementation uses the kpasswd DNS SRV record). --Ken ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
