Kerberos behind load balancer?

Kasundra, Digant digant at
Wed Oct 6 13:07:23 EDT 2004

I agree that the load is not an issue.  But with out DNS round-robin, and without the load-balancer, we'd have to arbitrarily point our systems and services at one of the slaves.  If that slave goes down, we'd have to scramble to see who all was pointing to it and change them to point to the other place.  

DNS round-robin would be best, but some options for those of us with our hands-tied would be nice.  I think we may have a working solution although we are still testing it, and it did require a code patch to allow listening to the loopback.

-- DK

-----Original Message-----
From: kerberos-bounces at on behalf of Tillman Hodgson
Sent: Wed 10/6/2004 11:46 AM
To: kerberos at
Subject: Re: Kerberos behind load balancer?
On Wed, Oct 06, 2004 at 09:59:06AM -0400, Ken Hornstein wrote:
> And let me echo the comments of others: we've run our Kerberos servers on
> the oldest, crappiest hardware we've had kicking around the dustbin (we
> upgrade it occasionally, but it's always to the latest "crappiest" system
> we've got laying around).  I seriously doubt you're going to need a load
> balancer.  And if you don't need it, I can't see it causing you anything
> but trouble in the long run.

I can echo that sentiment as well. When I first starting looking into
Kerberos I was concerned about client load on the KDC.

This post (from 1993) put my fears to rest:

I can indeed confirm that a DECStation 5000/25 (with a 25MHz MIPS R3000
CPU and a 10MBit AUI ethernet port) can handle whatever I could throw at
it, including authentication for a website (via apache mod_auth_kerb)
that did not cache tickets, without showing any real load that I could
measure. It was _idling_.

I'm now running it on a SparcStation 10, simply because I don't have the
DECStation any more and the old Sun box is the oldest crappiest hardware
I have left where I still trust the hard drive (a relatively modern
Seagate replacement, in this case).

Older RISC hardware also tends to have real serial consoles, which is
Good Thing on a KDC that doesn't allow network logins :-)

If I /was/ going to load balance a KDC in some form, I'd do it not to
shift load as in CPU-load but rather to optimize latency for wide-area
links. Anycast would be the method I'd use.


"If you already know what recursion is, just remember the answer.
 Otherwise, find someone who is standing closer to Douglas Hofstadter
 than you are; then ask him or her what recursion is."
    -- Andrew "Zarf" Plotkin
Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list