Kerberos behind load balancer?

Tillman Hodgson tillman at seekingfire.com
Wed Oct 6 12:46:49 EDT 2004


On Wed, Oct 06, 2004 at 09:59:06AM -0400, Ken Hornstein wrote:
> And let me echo the comments of others: we've run our Kerberos servers on
> the oldest, crappiest hardware we've had kicking around the dustbin (we
> upgrade it occasionally, but it's always to the latest "crappiest" system
> we've got laying around).  I seriously doubt you're going to need a load
> balancer.  And if you don't need it, I can't see it causing you anything
> but trouble in the long run.

I can echo that sentiment as well. When I first starting looking into
Kerberos I was concerned about client load on the KDC.

This post (from 1993) put my fears to rest:
http://groups.google.ca/groups?hl=en&lr=&th=f5ea1615382bdfcc&rnum=2

I can indeed confirm that a DECStation 5000/25 (with a 25MHz MIPS R3000
CPU and a 10MBit AUI ethernet port) can handle whatever I could throw at
it, including authentication for a website (via apache mod_auth_kerb)
that did not cache tickets, without showing any real load that I could
measure. It was _idling_.

I'm now running it on a SparcStation 10, simply because I don't have the
DECStation any more and the old Sun box is the oldest crappiest hardware
I have left where I still trust the hard drive (a relatively modern
Seagate replacement, in this case).

Older RISC hardware also tends to have real serial consoles, which is
Good Thing on a KDC that doesn't allow network logins :-)

If I /was/ going to load balance a KDC in some form, I'd do it not to
shift load as in CPU-load but rather to optimize latency for wide-area
links. Anycast would be the method I'd use.

-T


-- 
"If you already know what recursion is, just remember the answer.
 Otherwise, find someone who is standing closer to Douglas Hofstadter
 than you are; then ask him or her what recursion is."
    -- Andrew "Zarf" Plotkin


More information about the Kerberos mailing list