loadbalancing of keberized services
Jeffrey Hutzelman
jhutz at cmu.edu
Mon Apr 12 18:34:55 EDT 2004
On Saturday, April 10, 2004 16:47:21 +0000 Donn Cave <donn at drizzle.com>
wrote:
> It depends on your client software. All you need to do is resolve the
> addresses to canonical host name first, and use the resolved name for
> both the client connect and the service ticket.
Careful here... Using insecure DNS to compute a service principal name is
asking for trouble. You're OK if, as suggested, you compare the resulting
name to a list of known valid servers, but that's a fair bit of work and
most software that does reverse resolution to determine service names
either can't or doesn't do it.
Also, the problem description _I_ read involved a connection-forwarder with
its own IP address, not a DNS load balancer. It makes a difference -- with
a connection-forwarder, reverse-resolving the address you connected to will
still get you the name of the forwarder.
> If you can't do that, then I guess you will need the keys for each server
> host, on all server hosts - ldap/server1 + ldap/server2 + ...
It should work just fine for each server to have its own key plus a copy of
the shared key for the load-balanced name.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+ at cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA
More information about the Kerberos
mailing list