Kerberos behind load balancer?

Tillman Hodgson tillman at
Wed Oct 6 12:46:49 EDT 2004

On Wed, Oct 06, 2004 at 09:59:06AM -0400, Ken Hornstein wrote:
> And let me echo the comments of others: we've run our Kerberos servers on
> the oldest, crappiest hardware we've had kicking around the dustbin (we
> upgrade it occasionally, but it's always to the latest "crappiest" system
> we've got laying around).  I seriously doubt you're going to need a load
> balancer.  And if you don't need it, I can't see it causing you anything
> but trouble in the long run.

I can echo that sentiment as well. When I first starting looking into
Kerberos I was concerned about client load on the KDC.

This post (from 1993) put my fears to rest:

I can indeed confirm that a DECStation 5000/25 (with a 25MHz MIPS R3000
CPU and a 10MBit AUI ethernet port) can handle whatever I could throw at
it, including authentication for a website (via apache mod_auth_kerb)
that did not cache tickets, without showing any real load that I could
measure. It was _idling_.

I'm now running it on a SparcStation 10, simply because I don't have the
DECStation any more and the old Sun box is the oldest crappiest hardware
I have left where I still trust the hard drive (a relatively modern
Seagate replacement, in this case).

Older RISC hardware also tends to have real serial consoles, which is
Good Thing on a KDC that doesn't allow network logins :-)

If I /was/ going to load balance a KDC in some form, I'd do it not to
shift load as in CPU-load but rather to optimize latency for wide-area
links. Anycast would be the method I'd use.


"If you already know what recursion is, just remember the answer.
 Otherwise, find someone who is standing closer to Douglas Hofstadter
 than you are; then ask him or her what recursion is."
    -- Andrew "Zarf" Plotkin

More information about the Kerberos mailing list