MIT Kerberos version 1.6 with F5 BigIP
Kevin Longfellow
klongfel at yahoo.com
Thu Feb 18 17:00:51 EST 2010
Hi,
Just wondering if anyone can tell me if it's possible or reasonable to put multiple kdc's behind a F5 BigIP for load balance purposes? We have tried a simple configuration with port 88 UDP but it seems to causes some issues with the kdc's. Getting a TGT with kinit seems to work just fine but using an application (e.g. nfs) the TGS seems to fail. It would be nice to use the F5 load balancer since we have to use krb5.conf deploying it on Thousands of systems.
KDC issue in log file:
tail -f /var/log/krb5kdc.log
krb5kdc: Invalid message type - while dispatching (udp)
krb5kdc: Invalid message type - while dispatching (udp)
krb5kdc: Invalid message type - while dispatching (udp)
krb5kdc: Invalid message type - while dispatching (udp)
We suspect this is the F5 probe to determine if port 88 is alive?
When trying to access a Kerberos nfs mount point the kinit works but the TGS seems to fail. Briefly looking at a packet trace of the failure shows as the last packet received from the F5:
KRB ERROR: KRB5KRB_AP_ERR_BADADDR
Any information on load balancing kdc's with a F5 would be highly appreciated.
Thanks,
Kevin
More information about the Kerberos
mailing list