Ken Hornstein <[EMAIL PROTECTED]> writes:
> >So, logical consequence is that master must answer all TGT requests.
> Two more things:
> - A hour a long time to wait for password updates between KDCs. Mine is
> set to 5 minutes.
If you are a big site (tens of thousands of principals),
this is probably not an option. Most of us in that
category have invented or adopted some sort of incremental
update scheme.
> - I don't actually do load balancing between my KDCs, but the load on them
> is so light, I never notice a problem.
I think it would take a combination of a pretty big site and
a pretty lame server for anyone to notice a load problem (ours
ran on an 8Mhz DECstation for years!) I think the most common
reasons for a slave KDC are:
* reliability (if your main server coughs up a motherboard or ...)
* slow or unreliable networks (e.g., the podunk branch office problem)
John
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
