On Sun, 2011-07-24 at 17:30 -0400, Nico Williams wrote: > For performance reasons? It's like this forever, so there may not be > a performance reason anymore. IMO this should be fixed.
I think performance is still an issue. We definitely still get feedback about the number of LDAP queries per KDC operation, and TGS requests are more frequent than AS requests. (At least, they should be. It depends on how often the KDC is used purely as a password verifier.) We could add a configuration knob, but I'm still trying to justify the increased complexity to myself. Preventing a disabled account from making new TGS requests with a valid TGT seems like closing the barn door after the horse has escaped, as you have no control over the service tickets the client already obtained before it was disabled. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos