Kerberos behind load balancer?
Jason T Hardy
jthardy at uta.edu
Wed Oct 6 15:07:53 EDT 2004
On Wed, 2004-10-06 at 12:52, Sam Hartman wrote:
> >>>>> "Jason" == Jason T Hardy <jthardy at uta.edu> writes:
> Jason> Sam, Actually, a load balancer simplifies client deployment
> Jason> in our case (we can't utilize DNS load balancing on our
> Jason> campus). We can, with a load balancer, have all of the
> Jason> KDC's share one hostname. Our kadmin server can also share
> Jason> that hostname.
> I think what I'm questioning here is the need for load balancing of
> the KDC. I agree that if you need to load balance a KDC, using a load
> balancer is one way to do it. If you don't actually need to load
> balance access to your KDCs, you'll find you get a much simpler
> deployment without the load balancer.
Well, the answer to this question is complex. We don't think a
load-balancer will be required for our deployment, but it would simplify
the end-user experience.
I guess the problem that everyone is having with our deployment is the
term load-balancer. We don't actually want to easy the load off of our
KDC's, we just want provide a seamless way of ensuring availability in
the event that we lose one (or more) of them. I think it's true for
everyone who's commented to this thread that their users are probably
not aware of how Kerberos works. We're trying to make deployment as easy
as possible for the end user (migrating a huge deployment from AD to MIT
Kerberos). Having one host name to remember would certainly help.
You'll say that DNS is the answer. I would agree. The problem is, we
don't have access, or support from the folks controlling our DNS, to add
the SRV records which would simplify the whole mess. Since we already
have a load balancing switch (NetScaler) around for other purposes,
we're trying to use it in place of doing things properly. :-)
Jason T Hardy
Unix Systems Administrator
Office of Information Technology
University of Texas at Arlington
More information about the Kerberos