Kerberos behind load balancer?
Ken Raeburn
raeburn at MIT.EDU
Wed Oct 6 00:03:38 EDT 2004
On Oct 5, 2004, at 23:15, Jason T Hardy wrote:
> Sam,
>
> Actually, a load balancer simplifies client deployment in our case (we
> can't utilize DNS load balancing on our campus). We can, with a load
> balancer, have all of the KDC's share one hostname. Our kadmin server
> can also share that hostname.
>
> kerberos:88 -> points to our KDC's
(I hope by "DNS load balancing" that you can't do, you're only
referring to the hacks that return a different address per query, based
on load.)
I think there are better solutions to that. (1) Create a DNS name
which points to multiple addresses; typically the nameserver will
change the order randomly, which will effect some load balancing. (2)
Use DNS SRV records to return the names of the various KDCs, with equal
priority. Granted, these approaches aren't load-sensitive, but the DNS
SRV record approach will let you do some uneven load balancing by
adjusting the weights based on the capabilities of each server.
They'll also let you spread out your KDCs to a couple of locations, if
you don't want to risk a single point of failure.
> Further, we can bring systems up/down or add/remove new systems without
> requiring modifications to the client configurations.
The DNS records pointing to the N KDC addresses can be updated without
changing client configurations.
Even if you don't update the DNS records for a while, it should only
cause a delay of a couple seconds or so (using the MIT code) per
offline KDC, and only when the clients choose those KDCs first.
Ken
More information about the Kerberos
mailing list