Kerberos behind load balancer?

Tillman Hodgson tillman at
Wed Oct 6 13:15:16 EDT 2004

On Wed, Oct 06, 2004 at 12:07:23PM -0500, Kasundra, Digant wrote:
> I agree that the load is not an issue.  But with out DNS round-robin,
> and without the load-balancer, we'd have to arbitrarily point our
> systems and services at one of the slaves.  If that slave goes down,
> we'd have to scramble to see who all was pointing to it and change
> them to point to the other place.  

Anycast. Kerberos auth is UDP, after all.

> DNS round-robin would be best, but some options for those of us with
> our hands-tied would be nice.  I think we may have a working solution
> although we are still testing it, and it did require a code patch to
> allow listening to the loopback.

Round-robin sucks. It means that if something goes down it fails 50% of
the time.

DNS hackery to do background checks and so forth is a bit better, but
not standardized or easy to implement.


"In the beginning, the file was without form, and void; and emptiness
 was upon the face of the bits. And the Fingers of the Author moved upon
 the face of the keyboard. And the Author said, Let there be words, and
 there were words."
    -- From Linux System Administrators' Guide

More information about the Kerberos mailing list