[38223] in Kerberos
Re: Determening the number of clients per KDC
daemon@ATHENA.MIT.EDU (Sergei Gerasenko)
Mon Apr 16 15:40:05 2018
From: Sergei Gerasenko <gerases@gmail.com>
Message-Id: <FD687074-B0F4-4C04-A7CA-F5055CF19C6F@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Mon, 16 Apr 2018 14:39:47 -0500
In-Reply-To: <87efjf57np.fsf@hope.eyrie.org>
To: Russ Allbery <eagle@eyrie.org>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
> Oh, no problem -- just be aware that they're being answered by someone who
> hasn't run large-scale KDCs in about four years, so some of my information
> is stale. :)
Still very valuable since I haven’t been able to find answers to any of these questions elsewhere.
> If you're doing default Kerberos, the networking is UDP, so it's not going
> to spend a lot of time waiting for the network. I would expect that to be
Cool, something to verify, but not a bad guess I think.
> This is all just a wild-ass guess, though.
>
> Given your setup, though, it would really surprise me if you saw any
> performance issues.
Will keeping an access log slow me down much, do you know? For that matter, is there a benchmarking tool for KDCs?
> You can use SRV records and get 3 by just listing both KDCs as equal
> weight. All Kerberos clients these days should support SRV records.
That sounds like a good idea. I can use puppet to list the kdcs in krb5.conf as well.
> I can only see 2 as a real option because *I think* once a TGT is
>> requested, all TGS requests would need to go to the server that gave the
>> TGT?
>
> Nope, all KDCs share the same database and can answer all requests.
Ok, it’s just that I see everywhere (e.g. https://en.wikipedia.org/wiki/Kerberos_(protocol) <https://en.wikipedia.org/wiki/Kerberos_(protocol)>) that the initial TGT response includes a session key that the host and the service server will share. So that’s what got me thinking that once a TGT is retrieved, the client should request a service ticket using the same KDC. But like I said, I’m total newb.
The AS checks to see if the client is in its database. If it is, the AS generates the secret key by hashing the password of the user found at the database (e.g., Active Directory <https://en.wikipedia.org/wiki/Active_Directory> in Windows Server) and sends back the following two messages to the client:
Message A: Client/TGS Session Key encrypted using the secret key of the client/user.
Message B: Ticket-Granting-Ticket (TGT, which includes the client ID, client network address <https://en.wikipedia.org/wiki/Network_address>, ticket validity period, and the client/TGS session key) encrypted using the secret key of the TGS.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos