> You can assign a value as low as one second. Maybe I am missing something but changing the kdc.conf to any value...
iprop_replica_poll=1s or even... iprop_replica_poll = 0.016666666666667m (for 1s= 1/60min!) Based on tailing the kadmind.log, it is showing the replica polling every 2m!? > On Jan 9, 2020, at 11:32 AM, Tareq Alrashid <ta...@qerat.com> wrote: > > Thanks Greg. > Final question if there is any negative impact for having replicas poll at > often as one second or maybe it is best to be at higher numbers of seconds? > > On Thu, Jan 9, 2020 at 11:24 Greg Hudson <ghud...@mit.edu > <mailto:ghud...@mit.edu>> wrote: > On 1/8/20 1:38 PM, Tareq Alrashid wrote: > > How can we make it as close to realtime as possible? > > what is the smallest value possible we can assign? > > You can assign a value as low as one second. > > > Master receives a newly provisioned user, or new password change/reset, and > > since we live in the instant-gratification times, users attempt to login > > onto services that configured to authenticate against replica servers which > > of course have not been propagated to yet…. failed login => open a help > > desk ticket…etc. waste of time and frustration. > > You could try configuring a master_kdc value in krb5.conf on the clients > (or, if you use DNS, adding _kerberos-master._udp.realm and > _kerberos-master._tcp.realm records). If these are present, kinit will > retry with the master KDC if it gets an error from the first KDC it > tries, if the error could have resulted from propagation not having > happened yet. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
