Kerberos through loadbalancer

Stefan Kania stefan at kania-online.de
Fri May 20 04:33:41 EDT 2022


Here the messages we get using ldapsearch on one of the consumers:
---------------
ldapsearch -H ldaps://ldap.example.net
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind: Invalid credentials (49)
    additional info: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context


$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: search-repl@

Valid starting       Expires              Service principal
05/20/2022 09:46:35  05/20/2022 19:46:35  krbtgt/DE at DE
    renew until 05/21/2022 09:46:35
05/20/2022 09:46:50  05/20/2022 19:46:35  ldap/consumer01 at DE
    renew until 05/21/2022 09:46:35
05/20/2022 09:47:07  05/20/2022 19:46:35  ldap/ldap1 at DE
    renew until 05/21/2022 09:46:35
05/20/2022 09:47:24  05/20/2022 19:46:35  ldap/ldap at DE
    renew until 05/21/2022 09:46:35

---------------
As you can see we get the ticket for ldap.

Stefan

Am 20.05.22 um 09:41 schrieb Stefan Kania:
> Hi to all,
> 
> we have 4 ldap-provider ldap1.example.net to ldap4.example.net. We
> securing the replication via kerberos, everything works fine between the
> providers. But now we want to set up some consumers. Between the
> providers and the consumers a loadbalancer is located, so the consumers
> only connect to the loadbalancer and the loadbalancer chooses one of the
> providers. For the replication we put the fqdn from the loadbalancer
> into the configuration. The fqdn is ldap.example.net. We then created a
> host-principal and a service-principal for ldap.example.net and we put
> the host-key into /etc/krb5.keytab of all ldap-providers the same with
> the service-key. So now all provider can use both, the own keys and the
> keys from the loadbalancer. But it's not working :-(. In the log of the
> provider we see that the consumer connects. ldaps is working. But
> kerberos failed with the following messages:
> --------------------
> SASL [conn=5032] Failure: GSSAPI Error:  Miscellaneous failure (see
> text) (Decrypt integrity check failed for checksum type
> hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96)
> 
> slapd[59382]: conn=5032 op=0 RESULT tag=97 err=49 qtime=0.000028
> etime=0.017274 text=SASL(-13): authentication failure: GSSAPI Failure:
> gss_accept_sec_context
> 
> --------------------
> The same user we are using works without using the loadbalancer. If our
> solution is wrong, what would be the right way to use a loadbalancer
> together with kerberos?
> 
> Stefan
> 
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos




-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3477 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.mit.edu/pipermail/kerberos/attachments/20220520/1bfe95d1/attachment.p7s>


More information about the Kerberos mailing list