[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help with SASL/GSSAPI to remote Kerberos server

--On Tuesday, February 19, 2008 10:32 PM -0800 Russ Allbery <rra@stanford.edu> wrote:

You may still want to use Heimdal for *performance*, however, or disable
the replay cache on MIT Kerberos (Heimdal doesn't, or at least didn't,
implement one).  The replay cache is known to have extremely poor
performance in threaded environments and with lots of authentications.

The other major difference between MIT and Heimdal is the behavior when a ticket expires. With MIT, any existing connections will stop working. With Heimdal, existing connections will continue to work, just new connections will fail until the ticket is renewed. I strongly prefer the Heimdal behavior if using something like SASL/GSSAPI for doing replication with persistent connections.



Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
Zimbra ::  the leader in open source messaging and collaboration