>So, logical consequence is that master must answer all TGT requests. There are two things missing here.
The user's password is only required for AS requests. You don't need the user's password for TGS requests, which are the vast majority of Kerberos requests. At least one major Kerberos implementation (MIT) will go out of the way to contact a master KDC if got an error from an AS_REQ to a slave (MIT). I don't know if Heimdal has this functionality or not. Two more things: - A hour a long time to wait for password updates between KDCs. Mine is set to 5 minutes. - I don't actually do load balancing between my KDCs, but the load on them is so light, I never notice a problem. --Ken ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
