loadbalancing of keberized services

Jeffrey Hutzelman jhutz at cmu.edu
Mon Apr 12 18:34:55 EDT 2004


On Saturday, April 10, 2004 16:47:21 +0000 Donn Cave <donn at drizzle.com> 
wrote:

> It depends on your client software.  All you need to do is resolve the
> addresses to canonical host name first, and use the resolved name for
> both the client connect and the service ticket.

Careful here...  Using insecure DNS to compute a service principal name is 
asking for trouble.  You're OK if, as suggested, you compare the resulting 
name to a list of known valid servers, but that's a fair bit of work and 
most software that does reverse resolution to determine service names 
either can't or doesn't do it.

Also, the problem description _I_ read involved a connection-forwarder with 
its own IP address, not a DNS load balancer.  It makes a difference -- with 
a connection-forwarder, reverse-resolving the address you connected to will 
still get you the name of the forwarder.


> If you can't do that, then I guess you will need the keys for each server
> host, on all server hosts - ldap/server1 + ldap/server2 + ...

It should work just fine for each server to have its own key plus a copy of 
the shared key for the load-balanced name.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA



More information about the Kerberos mailing list