First a little about my environment: I have a very large enterprise 60K+ hosts that I support with Kerberos services. I currently have 10 KDC's that are geographically located. They are each behind L3DSR VIP's within the reagin that the server resides and there is a GSLB above that which allows me to give out 1 KDC address that is redundant and efficient in all world regions. Currently I have an outside process that enforces policies and will lock accounts on the master server so that this is propagated down to all the KDC's.
Question: I would like to use the built in Kerberos policy support, however since I have 10 KDC's, for me to enforce a 5 password errors to lockout type policy would be the same as giving the user 50 attempts if they craft them right. Does MIT or anyone else have a project to allow use of policies in multi KDC environments like this? William Clark ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
