[32647] in Kerberos
Re: Kerberos Propagation question
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Tue Sep 7 15:30:33 2010
Mime-Version: 1.0 (Apple Message framework v1081)
From: Ken Raeburn <raeburn@mit.edu>
In-Reply-To: <AANLkTimbmc3YVZeGY53SfdXZAV2jsoANCQL58_AupWWi@mail.gmail.com>
Date: Tue, 7 Sep 2010 15:30:31 -0400
Message-Id: <56FDA578-913C-49E3-A2F4-B3CB4DA2E941@mit.edu>
To: paxindustria@ob3y.com
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Sep 7, 2010, at 15:06, Pax Industria wrote:
> Hi,
>
> A colleague asked recently if KDC's could replicate more frequently, his
> suggestion was every 3 minutes. That seemed as though it could have adverse
> effects on the KDC's but i couldn't find anything in the docs on a best
> practice for how frequently / infrequently to replicate the database. I seem
> to recall that propagation locks the DB, but I wasn't able to find a
> reference to it. (I could have made it up..., or maybe I just didn't see it
> in the docs) Would pushing the database out that frequently be problematic?
A full dump briefly locks the database against updates while it writes out a text version, but then the propagation is done with the text version, and the database is unlocked, so changes can be made. For very large databases, though, the full dump-copy-load sequence can take a while.
However, in recent versions of MIT's code, there's an incremental propagation mode contributed by Sun which can send updates much more efficiently, and only uses full propagation when necessary. If you wish to keep your KDCs very closely in sync I suggest you look at using that mode, especially if you have a large database.
> Besides increased load on the system could that have adverse effect on
> admin's working on the database?
It shouldn't, at least with the incremental propagation code in use.
Ken
--
Ken Raeburn / raeburn@mit.edu
NOT working or speaking for the MIT Kerberos Consortium
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
