Debugging connections through load balancers.

Henry B. Hotz hotz at jpl.nasa.gov
Mon Jul 24 18:53:27 EDT 2006


I've got a kerberized service that worked fine before I started  
trying to use it through a load balancer.  (I'm saying that for  
background, not because I didn't think it should matter.)

So the current situation is that I've changed /etc/hosts and /etc/ 
nodename to contain the FQDN of the balancer.  The server *thinks*  
its name is the balancer's name.  A connection to the balancer does  
get to the real server.  The server's keytab has entries for both its  
real name and the balancer's name.  Doesn't work.  (Interestingly a  
direct connection that bypasses the balancer still works;  I wouldn't  
have expected that.)

So how do I go about debugging something like this?

My next step would be to snoop the connection and feed it to  
ethereal, probably with lots of keys available so it can decode  
everything.  Is there anything better to try?  Is there any way to  
get the kerberos libs to say what (if anything) they are trying to  
get out of the keytab?

If it matters, the service is Sun LDAP 5.2 on Solaris 9.
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu





More information about the Kerberos mailing list