Kerberos behind load balancer?

Ken Hornstein kenh at
Wed Oct 6 09:59:06 EDT 2004

>> Isn't that broken?  You can't load balance the admin server because
>> MIT isn't multi-master.  For DR it's just as easy to bring up a new
>> server with the old server's IP.
>No, it's not broken. The kadmin server that's active responds to the
>request. If my admin server goes down I can "promote" one of the slaves.

Dumb question time: have you actually tried changing your password
with kpasswd with this setup?  I'm not sure it would work.

And let me echo the comments of others: we've run our Kerberos servers on
the oldest, crappiest hardware we've had kicking around the dustbin (we
upgrade it occasionally, but it's always to the latest "crappiest" system
we've got laying around).  I seriously doubt you're going to need a load
balancer.  And if you don't need it, I can't see it causing you anything
but trouble in the long run.


More information about the Kerberos mailing list