Kerberos behind load balancer?

Jason T Hardy jthardy at
Wed Oct 6 08:14:10 EDT 2004

On Wed, 2004-10-06 at 00:23, Frank Cusack wrote:
> > balancer, have all of the KDC's share one hostname. Our kadmin server
> > can also share that hostname.
> >
> >  kerberos:88 -> points to our KDC's
> >  kerberos:749 -> point to our admin server
> Isn't that broken?  You can't load balance the admin server because
> MIT isn't multi-master.  For DR it's just as easy to bring up a new
> server with the old server's IP.

No, it's not broken. The kadmin server that's active responds to the
request. If my admin server goes down I can "promote" one of the slaves.

> True, but modern hardware can handle VERY VERY large numbers of clients.
> krb5 requests are short and efficient for the most part.  You shouldn't
> need more than 3 IPs and you can even have them on 2 servers (reserving
> the 3rd for future use if you don't want to maintain the extra HW).
> If you use DNS SRV records you can also add new systems without client
> config change.  That's what we do.

I can't modify DNS.

> The load balancer is simply another failure point.

As is everything else.

> /fc

Jason T Hardy
Unix Systems Administrator
Office of Information Technology
University of Texas at Arlington

More information about the Kerberos mailing list