> We could add a configuration knob, but I'm still trying to justify > the increased complexity to myself. Preventing a disabled account > from making new TGS requests with a valid TGT seems like closing the > barn door after the horse has escaped, as you have no control over > the service tickets the client already obtained before it was > disabled.
A better analogy: the current thing is like you identified the horse thief at noon, but you decided to leave the barn open and unlocked until sunset, even though he's sitting outside idling in a truck that already has a couple of your horses in it, but has room for more. I just want to lock the barn now, and I'm willing to walk out there to do that. Or something like that. :) Uh, that last sentence was to address the performance implications. I need to figure out the metaphorical expression of the profile bool. Maybe you ask the wife if it's okay to stop doing dishes and walk out and lock the barn... Then, clearly, the metaphor is lacking the cross-realm issue...maybe there's a dude taking your horses but he was referred to you by your friend from the farm down the road, and you keep trusting him based on that recommendation until sunset when you have drinks at the bar with your friend. Okay, stopping now, Chris On 2011/07/25 08:37, Greg Hudson wrote: > On Sun, 2011-07-24 at 17:30 -0400, Nico Williams wrote: >> For performance reasons? It's like this forever, so there may not be >> a performance reason anymore. IMO this should be fixed. > > I think performance is still an issue. We definitely still get feedback > about the number of LDAP queries per KDC operation, and TGS requests are > more frequent than AS requests. (At least, they should be. It depends > on how often the KDC is used purely as a password verifier.) > > We could add a configuration knob, but I'm still trying to justify the > increased complexity to myself. Preventing a disabled account from > making new TGS requests with a valid TGT seems like closing the barn > door after the horse has escaped, as you have no control over the > service tickets the client already obtained before it was disabled. > > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos