Kerberos through loadbalancer

Stefan Kania stefan at kania-online.de
Fri May 20 03:41:20 EDT 2022


Hi to all,

we have 4 ldap-provider ldap1.example.net to ldap4.example.net. We
securing the replication via kerberos, everything works fine between the
providers. But now we want to set up some consumers. Between the
providers and the consumers a loadbalancer is located, so the consumers
only connect to the loadbalancer and the loadbalancer chooses one of the
providers. For the replication we put the fqdn from the loadbalancer
into the configuration. The fqdn is ldap.example.net. We then created a
host-principal and a service-principal for ldap.example.net and we put
the host-key into /etc/krb5.keytab of all ldap-providers the same with
the service-key. So now all provider can use both, the own keys and the
keys from the loadbalancer. But it's not working :-(. In the log of the
provider we see that the consumer connects. ldaps is working. But
kerberos failed with the following messages:
--------------------
SASL [conn=5032] Failure: GSSAPI Error:  Miscellaneous failure (see
text) (Decrypt integrity check failed for checksum type
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96)

slapd[59382]: conn=5032 op=0 RESULT tag=97 err=49 qtime=0.000028
etime=0.017274 text=SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context

--------------------
The same user we are using works without using the loadbalancer. If our
solution is wrong, what would be the right way to use a loadbalancer
together with kerberos?

Stefan



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3477 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.mit.edu/pipermail/kerberos/attachments/20220520/4db25732/attachment.p7s>


More information about the Kerberos mailing list