[38834] in Kerberos
Re: Selective kdc discovery
daemon@ATHENA.MIT.EDU (Paul B. Henson)
Thu Nov 5 00:56:30 2020
Date: Wed, 4 Nov 2020 21:53:39 -0800
From: "Paul B. Henson" <henson@acm.org>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20201105055339.GL6726@zaphod.pbhware.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <fb897c65-dc13-752d-9cbe-9742ae692dc0@mit.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Sat, Oct 31, 2020 at 01:02:34AM -0400, Greg Hudson wrote:
> In the MIT krb5 implementation, they are tried in the order specified,
> with a 1s delay in between. I can't speak to the Java implementation,
> unfortunately.
Ah, so each subsequent server is only used if all the ones before it
failed? There's no mechanism for load balancing when using file based
kdc configuration?
We're currently using DNS SRV records and all of our kdc's seems to have
fairly equal load. Are DNS SRV records handled differently in terms of
distributing load, or is that just a side effect of the resolver handing
them back in a different order for each lookup?
> The request would fail with an unreachable error, in the MIT implementation.
Thanks for the info. It doesn't look like the java implementation tries
the listed master anyway for a password failure, it just immediately
errors out.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
