Kerberos behind load balancer?
Jason T Hardy
jthardy at uta.edu
Wed Oct 6 08:14:10 EDT 2004
On Wed, 2004-10-06 at 00:23, Frank Cusack wrote:
> > balancer, have all of the KDC's share one hostname. Our kadmin server
> > can also share that hostname.
> >
> > kerberos:88 -> points to our KDC's
> > kerberos:749 -> point to our admin server
>
> Isn't that broken? You can't load balance the admin server because
> MIT isn't multi-master. For DR it's just as easy to bring up a new
> server with the old server's IP.
No, it's not broken. The kadmin server that's active responds to the
request. If my admin server goes down I can "promote" one of the slaves.
> True, but modern hardware can handle VERY VERY large numbers of clients.
> krb5 requests are short and efficient for the most part. You shouldn't
> need more than 3 IPs and you can even have them on 2 servers (reserving
> the 3rd for future use if you don't want to maintain the extra HW).
>
> If you use DNS SRV records you can also add new systems without client
> config change. That's what we do.
I can't modify DNS.
> The load balancer is simply another failure point.
As is everything else.
> /fc
--
Jason T Hardy
Unix Systems Administrator
Office of Information Technology
University of Texas at Arlington
More information about the Kerberos
mailing list