Kerberos behind load balancer?

Kasundra, Digant digant at
Wed Oct 6 13:36:19 EDT 2004

How do you list both in DNS?  Are you implying that in DNS you only have (for instance) and and list both machines as KDCs in the krb5.conf.  If so, the app then randomly picks a KDC and tries that and if that fails, it rolls over to the next?  You then build that functionality into each and every app.  

And when we tell our app programmers that is how they have to do it and they say "Why don't you have a load balancer that does that for me instead of me having to write this into all my various apps?"

We are under political pressures to get this done and bound by other politics to not do it the way everyone else is.

-- DK

-----Original Message-----
From: kerberos-bounces at on behalf of Ken Hornstein
Sent: Wed 10/6/2004 12:14 PM
To: kerberos at
Subject: Re: Kerberos behind load balancer? 
>If we could modify DNS to do DNS round-robin, we too would be okay.  But
>we can't.

This is the part I don't understand.  _WHY_ do you think you need
this?  I've literally run 6 years with a very simple setup: two KDCs,
each one listed in DNS and our krb5.conf.  On the rare occasions we
lose a master, the backup answers requests.  I either fix the master or
bring up the slave as the master temporarily (it usually takes me a
while to notice this, because everything keeps running normally).  This
is pretty much what everyone I know does.  We'd all like multi-master, but
it hasn't impacted operations in my experience.

Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list