Selective kdc discovery

Paul B. Henson henson at acm.org
Thu Oct 29 14:13:47 EDT 2020 

So management wants to replicate our core authentication infrastructure 
into the cloud so if the campus is down people will still be able to 
access cloud services. The components in question consist of a 
shibboleth idp which avails of kerberos for authentication and LDAP for 
directory services/attributes.

Ideally, I would like on campus services to use the campus instances if 
they are available, and failover to the cloud instances if not. And 
correspondingly, I would like the cloud services to use the cloud 
instances if they are available, and campus ones if not.

For LDAP the idp allows configuration of multiple directory servers, 
with failover. So I can easily configure the campus idp to hit campus 
ldap first, then failover to the cloud, and vice versa for the cloud idp.

I'm trying to figure out how to handle kerberos. The question is also 
complicated in that the idp uses the java Kerberos client, which I don't 
think has feature parity with the MIT libraries in terms of kdc discovery.

Using SRV or URI DNS records, it looks like I can configure some number 
of kdc's as primary, and other ones as secondary. However, this would 
cause both the campus and cloud instances to get the same one first, and 
the other one second. Potentially this could be worked around with 
separate DNS views, but I don't think that is going to be feasible for 
this deployment. I am also not sure if the java kerberos client 
understands SRV/URI records and properly splits them based on priority?

In the krb5.conf file, you can specify kdc's statically, but there is no 
mechanism for prioritizing them or indicating which ones should be tried 
first. You can also specify one or more master_kdc's, but based on the 
documentation those are only accessed in the case of a password failure 
on one of the regular kdc entries? If, hypothetically, all of the 
regular kdc entries timeout, would the master_kdc entries still be used, 
or would the request simply fail at that point with an unreachable kdc 
error?

Any other suggestions for achieving a separate primary/failover 
configuration for two different network locations in a fashion that 
would work properly with the Java kerberos client?

Thanks much…

More information about the Kerberos mailing list