>So, logical consequence is that master must answer all TGT requests.
There are two things missing here.
The user's password is only required for AS requests. You don't need the
user's password for TGS requests, which are the vast majority of Kerberos
requests.
At least one major Kerberos impl
[EMAIL PROTECTED] wrote:
> Hi, folks
>
> 2) Users wouldn't be happy if they were unable to login one hour every
> time they change password.
>
> So, logical consequence is that master must answer all TGT requests.
> Having a slave around in case master dies is better than nothing, but
> slave
Ken Hornstein <[EMAIL PROTECTED]> writes:
> >So, logical consequence is that master must answer all TGT requests.
> Two more things:
> - A hour a long time to wait for password updates between KDCs. Mine is
> set to 5 minutes.
If you are a big site (tens of thousands of principals),
t
John Hascall <[EMAIL PROTECTED]> writes:
> Ken Hornstein <[EMAIL PROTECTED]> writes:
>> - A hour a long time to wait for password updates between KDCs. Mine is
>> set to 5 minutes.
> If you are a big site (tens of thousands of principals),
> this is probably not an option. Most of us
PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Jeffrey Altman
Sent: Wednesday, April 14, 2004 1:09 PM
To: [EMAIL PROTECTED]
Subject: Re: scaling problems
[EMAIL PROTECTED] wrote:
> Hi, folks
>
> 2) Users wouldn't be happy if they were u
