Debugging connections through load balancers.

Ken Hornstein kenh at cmf.nrl.navy.mil
Tue Jul 25 00:56:15 EDT 2006


>I've got a kerberized service that worked fine before I started  
>trying to use it through a load balancer.  (I'm saying that for  
>background, not because I didn't think it should matter.)
>
>So the current situation is that I've changed /etc/hosts and /etc/ 
>nodename to contain the FQDN of the balancer.  The server *thinks*  
>its name is the balancer's name.  A connection to the balancer does  
>get to the real server.  The server's keytab has entries for both its  
>real name and the balancer's name.  Doesn't work.  (Interestingly a  
>direct connection that bypasses the balancer still works;  I wouldn't  
>have expected that.)
>
>So how do I go about debugging something like this?

What kind of error do you get?  "Key table entry not found", or
something like that?

>My next step would be to snoop the connection and feed it to  
>ethereal, probably with lots of keys available so it can decode  
>everything.  Is there anything better to try?  Is there any way to  
>get the kerberos libs to say what (if anything) they are trying to  
>get out of the keytab?

Sniffing the network will probably not be useful; the application
server won't be sending anything useful over the network.  Normally
I have a full debugging build of Kerberos for this occasion ...
but that doesn't sound like an option here.

>If it matters, the service is Sun LDAP 5.2 on Solaris 9.

A SASL server, which means GSSAPI; figures.  And it doesn't seem like it's
open source, either.

Some GSSAPI apps expect that the ticket will be for "service/<local hostname>",
where <local hostname> is what is returned by "hostname".  When you say
the server "thinks" it's the balancer ... how did you tell it that?
You changed it's hostname?  You changed it's idea of it's name for it's
IP address?

--Ken



More information about the Kerberos mailing list