* Digant Kasundra <[EMAIL PROTECTED]> [2004-03-24 15:02] wibbled:
> >I'm not saying multi-master isn't desirable, but for the average realm,
> >you
> >can live without it. For a larger realm, (in the tens of thousands of
> >principals) having incremental propagation probably takes care of the
> >issues you have with DB propagation.
>
> Our realm has 43,000+ principals so for us, its a big deal. :) We have
> slaves not only for redundancy, but also for load balancing. We don't want
> all the users on our campus authenticating or changing passwords against
> just one machine.
The installation on my campus has on the order of 100,000 principals,
and there are two kerberos servers: one master and one slave. They are
both, I believe, ibm 43p/[EMAIL PROTECTED] machines, and there is not a load
problem. I'm not a campus-level kerberos admin, however, so I am not an
authority on the matter.
> With Unix and Linux, this one master setup isn't too bad b/c you can tell
> clients to auth against a slave and do password changes against the master.
> But with "dumb" implementations, like Microsoft, it assumes a KDC is a KDC
> is a KDC: one machine that will handle both. So we have a situation where
> our slaves will need to be able to handle password changes, or every windows
> box talks to the master, or some third option (that we are still hoping to
> find).
>
> And incremental propagation would definately take care of that problem. So
> where is it? I found some outdated information and patches for krepd but
> little else. Although I do know Heimdal supports it (which is nice).
--
/--
| Ben Staffin
perpetual nerd |
--/
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
