[38663] in Kerberos
Re: iprop_iprop_replica_poll=2m default...
daemon@ATHENA.MIT.EDU (Tareq Alrashid)
Fri Jan 10 20:23:11 2020
From: Tareq Alrashid <tareq@qerat.com>
Message-ID: <C6A18106-6E77-45D8-A40B-D4540E524487@qerat.com>
MIME-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
Date: Fri, 10 Jan 2020 20:22:53 -0500
In-Reply-To: <CAO-skvog8zHT2kv5uwUww+CzMBinPqT0LH3Fa_iGHp9f09QuBw@mail.gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: Tareq Alrashid <tareq@qerat.com>, "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
> You can assign a value as low as one second.
Maybe I am missing something but changing the kdc.conf to any value...
iprop_replica_poll=1s
or even...
iprop_replica_poll = 0.016666666666667m
(for 1s= 1/60min!)
Based on tailing the kadmind.log, it is showing the replica polling every 2m!?
> On Jan 9, 2020, at 11:32 AM, Tareq Alrashid <tareq@qerat.com> wrote:
>
> Thanks Greg.
> Final question if there is any negative impact for having replicas poll at often as one second or maybe it is best to be at higher numbers of seconds?
>
> On Thu, Jan 9, 2020 at 11:24 Greg Hudson <ghudson@mit.edu <mailto:ghudson@mit.edu>> wrote:
> On 1/8/20 1:38 PM, Tareq Alrashid wrote:
> > How can we make it as close to realtime as possible?
> > what is the smallest value possible we can assign?
>
> You can assign a value as low as one second.
>
> > Master receives a newly provisioned user, or new password change/reset, and since we live in the instant-gratification times, users attempt to login onto services that configured to authenticate against replica servers which of course have not been propagated to yet…. failed login => open a help desk ticket…etc. waste of time and frustration.
>
> You could try configuring a master_kdc value in krb5.conf on the clients
> (or, if you use DNS, adding _kerberos-master._udp.realm and
> _kerberos-master._tcp.realm records). If these are present, kinit will
> retry with the master KDC if it gets an error from the first KDC it
> tries, if the error could have resulted from propagation not having
> happened yet.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
