Selective kdc discovery
Grant Taylor
gtaylor at tnetconsulting.net
Sun Nov 1 13:06:07 EST 2020
On 10/29/20 12:13 PM, Paul B. Henson wrote:
> Any other suggestions for achieving a separate primary/failover
> configuration for two different network locations in a fashion that
> would work properly with the Java kerberos client?
I have no idea if this would work or not.
But I would consider DNS views / host entries such that the first name
in the list always resolved to the local server and subsequent names
resolved to remote servers.
The other thing I might try is to work with the networking team to see
if it's possible to have things on an anycast IP to attract clients to
the closest server. In the event that the close server has a problem,
stop announcing the anycast IP and things will naturally go to the next
closest server.
You might be able to achieve similar behavior with something like a load
balancer.
I have no idea what sort of protections are in place that might fight
this or what would need to be done to overcome it. Possibly having the
local and remote instance be a clone of each other so that they seem to
be the same entity.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4013 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20201101/eb57d0be/attachment.bin
More information about the Kerberos
mailing list