Kerberos behind load balancer?

Henry B. Hotz hotz at jpl.nasa.gov
Thu Oct 7 20:54:51 EDT 2004 

My basic objection to a load balancer is that Kerberos was designed to  
do its own failover without one.

Kerberos was also originally designed to require FQDN's to uniquely map  
to the destination IP numbers.  Violations of those assumptions  
deserved to fail because they might indicate some attempted crack.   
While things have changed a lot, I would not be sanguine about avoiding  
all the possible side effects.

I would be concerned independent of any specific problems which have  
been identified.

On Oct 6, 2004, at 5:23 PM, kerberos-request at mit.edu wrote:

> Well, the answer to this question is complex. We don't think a
> load-balancer will be required for our deployment, but it would  
> simplify
> the end-user experience.

I think many of us still don't understand why you say this.  Let me  
attempt to clarify.

My assumptions are (pretty much what Ken H suggested):

1) The user's get given a standard krb5.conf file with all the (real or  
potential) slave kdc's and the master kdc listed.  There is no  
mentionable overhead for configuring extra kdc entries on all clients  
ahead of time.

2) You're using standard Kerberos software like MIT, Heimdal, Sun, or  
Microsoft.

3) Your app's use the libraries from 2).

Then all applications will try all the kdc's listed in the krb5.conf  
before failing.  No load balancer or DNS tricks needed.

The only place you might loose is when the master goes down.  Then  
admin and password change access fails.  But it would fail anyway!  (I  
presume you weren't going to have a password change get sent to a  
random kdc.  That would make normal password changes usually fail.)   
(I'm not trying to be insulting here, just very, very clear and basic.)

Password change and admin access do not need the same reliability that  
normal authentication does.  I suspect you could do without for a few  
days and hardly feel it.

I get it that DNS changes and "unusual" entries are a problem.  Here's  
a suggestion:  Don't use the load balancer for normal operations (see 1  
above).  If and only if the Kerberos master fails, then use the load  
balancer to redirect traffic to your stand-in master.  You'll probably  
have to play some games with name resolution on the stand-in to make  
everything work, and I recommend you test the contingency plans  
carefully.

Does this help?
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the Kerberos mailing list