Kerberos behind load balancer?

Frank Cusack fcusack at
Wed Oct 6 01:23:41 EDT 2004

On Wed, 6 Oct 2004 03:59:35 +0000 (UTC) jthardy at (Jason T Hardy) wrote:
> Sam,
> Actually, a load balancer simplifies client deployment in our case (we
> can't utilize DNS load balancing on our campus). We can, with a load

Don't need DNS load balancing (and it's broken anyway).

> balancer, have all of the KDC's share one hostname. Our kadmin server
> can also share that hostname.
>  kerberos:88 -> points to our KDC's
>  kerberos:749 -> point to our admin server

Isn't that broken?  You can't load balance the admin server because
MIT isn't multi-master.  For DR it's just as easy to bring up a new
server with the old server's IP.

> Further, we can bring systems up/down or add/remove new systems without
> requiring modifications to the client configurations.

True, but modern hardware can handle VERY VERY large numbers of clients.
krb5 requests are short and efficient for the most part.  You shouldn't
need more than 3 IPs and you can even have them on 2 servers (reserving
the 3rd for future use if you don't want to maintain the extra HW).

If you use DNS SRV records you can also add new systems without client
config change.  That's what we do.

The load balancer is simply another failure point.


More information about the Kerberos mailing list