Seeking KDC Priority/Weight Clarification/Recommendation
Mark T. Valites
mvalites at buffalo.edu
Mon Dec 15 15:04:02 EST 2008
We are using a SUN One Directory Server (LDAP) Authentication plugin as
the backend authentication mechanism for users binding to our LDAP
servers. It uses the underlying Sun provided SUNWkrbux libraries to act as
a proxy to our kerberos servers.
We also use cosign as the login mechanism for users authenticating to our
shibboleth service. It uses the underlying Red Hat provided krb5-libs to
communicate with our kerberos servers.
Redunancy/HA for the LDAP and shibboleth/cosign services is acheived by
loading balancing behind a set of Cisco content service switches.
Our kerberos environment consists of one MIT krb-1.5.x master KDC and
three MIT krb-1.5.x slave KDCs. Redundancy is acheived with a
_kerberos._udp.ourrealm.edu SRV record that includes all four KDCs, each
with the same the same weight and priority, as well as a round robin DNS
entry for kerberos.ourdomain.com, which includes the same four KDCs (the
realm and domain names match):
$ dig _kerberos._udp.ourrealm.edu SRV
_kerberos._udp.ourrealm.edu. 600 IN SRV 0 0 88 kerb1.ourdomain.edu.
_kerberos._udp.ourrealm.edu. 600 IN SRV 0 0 88 kerb2.ourdomain.edu.
_kerberos._udp.ourrealm.edu. 600 IN SRV 0 0 88 kerb3.ourdomain.edu.
_kerberos._udp.ourrealm.edu. 600 IN SRV 0 0 88 kerb4.ourdomain.edu.
$ dig kerberos.ourdomain.edu
kerberos.ourdomain.edu. 60 IN A <IP 1>
kerberos.ourdomain.edu. 60 IN A <IP 2>
kerberos.ourdomain.edu. 60 IN A <IP 3>
kerberos.ourdomain.edu. 60 IN A <IP 4>
The krb5.conf files on the ldap & shibboleth/cosign servers are currently
configued with the following:
[libdefaults]
default_realm = ourrealm.ourdomain.edu
[realms]
dce.buffalo.edu = {
kdc = kerberos.ourdomain.edu
admin_server = kadminserver.ourdomain.edu
}
We recently saw a hardware failure on one our (non-master) KDCs that
brought the box completely off line. Even though they are redunant/highly
available on their own, the downstream ldap & shibboleth/cosign servers
all immeadiately saw issues because of this, exposing the weak link in the
chain.
The O'Reilly Kerberos (The Definitive Guide) book states that setting the
weight to 0 in the SRV record causes clients to choose from equal priority
KDCs randomly, but doesn't explicitely say anything about when one of
those is not available.
The book also indicates that setting priorities on the KDCs will cause the
client to try the next highest one if the first is not available, but to
me this implies that there would always be one KDC hit hardest.
Can the krb5.conf file/SRV record be configued to make the clients
fallback to one of the other KDCs if the first one tried is not available,
without always favoring the one(s) with the lowest priority numbered one?
Andy other thoughts/suggestions on achieving a HA/redundnat kerb seting
are welcome.
-Mark
--
Mark T. Valites
Senior Systems Administrator
Enterprise Infrastructure Services
University at Buffalo
More information about the Kerberos
mailing list