--On Tuesday, February 19, 2008 10:32 PM -0800 Russ Allbery rra@stanford.edu wrote:
You may still want to use Heimdal for *performance*, however, or disable the replay cache on MIT Kerberos (Heimdal doesn't, or at least didn't, implement one). The replay cache is known to have extremely poor performance in threaded environments and with lots of authentications.
The other major difference between MIT and Heimdal is the behavior when a ticket expires. With MIT, any existing connections will stop working. With Heimdal, existing connections will continue to work, just new connections will fail until the ticket is renewed. I strongly prefer the Heimdal behavior if using something like SASL/GSSAPI for doing replication with persistent connections.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration