[38660] in Kerberos
Re: iprop_iprop_replica_poll=2m default...
daemon@ATHENA.MIT.EDU (Kenneth MacDonald)
Thu Jan 9 11:10:31 2020
Message-ID: <2382e8b2b1d0deef68949f18750c02bbb8c178c4.camel@ed.ac.uk>
From: Kenneth MacDonald <Kenneth.MacDonald@ed.ac.uk>
To: Tareq Alrashid <tareq@qerat.com>, <kerberos@mit.edu>
Date: Thu, 09 Jan 2020 16:09:51 +0000
In-Reply-To: <E057FE8A-2B01-456A-9E69-F5DB1DD06B22@qerat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Ah, OK. I cannot answer whether 2m is the minumum value.
Cheers,
Kenny.
On Thu, 2020-01-09 at 09:26 -0500, Tareq Alrashid wrote:
> Thanks for the reply, Kenny.
>
> I have left out an important detail, on campus of course all is
> configured to master KDC first, the kerb2/kerb3…etc., no problem.
>
> This affects users of our clouds services, for example in AWS where
> we have duplicated all/most of our infrastructure services, if a user
> changes her password using our web tools against master KDC on
> campus, said user will not able to login immediately until changes
> are replicated out to the replica Kerberos servers in AWS. Granted 2m
> is not long, but this reason for asking in the first place to see if
> 2m is the shorted time delta allowed.
>
> Thanks,
> Tareq
>
> > On Jan 9, 2020, at 4:11 AM, Kenneth MacDonald <
> > Kenneth.MacDonald@ed.ac.uk> wrote:
> >
> > On Wed, 2020-01-08 at 13:38 -0500, Tareq Alrashid wrote:
> > > How can we make it as close to realtime as possible?
> > > what is the smallest value possible we can assign?
> > >
> > > Background:
> > >
> > > Master receives a newly provisioned user, or new password
> > > change/reset, and since we live in the instant-gratification
> > > times,
> > > users attempt to login onto services that configured to
> > > authenticate
> > > against replica servers which of course have not been propagated
> > > to
> > > yet…. failed login => open a help desk ticket…etc. waste of time
> > > and
> > > frustration.
> > >
> > > How do you all deal with the latency in your hi-ed environment?
> > >
> > > HNY! Thanks for any insights
> >
> > We haven't reduced the polling interval, but have configured our
> > web
> > single sign on hosts to authenticate against our master KDC in
> > preference to the slaves by listing their IP addresses in order in
> > /etc/krb5.conf.
> >
> > Cheers,
> >
> > Kenny.
> >
> >
> >
> >
> >
> > --
> > The University of Edinburgh is a charitable body, registered in
> > Scotland, with registration number SC005336.
> >
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
