Kerberos through loadbalancer
Stefan Kania
stefan at kania-online.de
Fri May 20 04:33:41 EDT 2022
Here the messages we get using ldapsearch on one of the consumers:
---------------
ldapsearch -H ldaps://ldap.example.net
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind: Invalid credentials (49)
additional info: SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context
$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: search-repl@
Valid starting Expires Service principal
05/20/2022 09:46:35 05/20/2022 19:46:35 krbtgt/DE at DE
renew until 05/21/2022 09:46:35
05/20/2022 09:46:50 05/20/2022 19:46:35 ldap/consumer01 at DE
renew until 05/21/2022 09:46:35
05/20/2022 09:47:07 05/20/2022 19:46:35 ldap/ldap1 at DE
renew until 05/21/2022 09:46:35
05/20/2022 09:47:24 05/20/2022 19:46:35 ldap/ldap at DE
renew until 05/21/2022 09:46:35
---------------
As you can see we get the ticket for ldap.
Stefan
Am 20.05.22 um 09:41 schrieb Stefan Kania:
> Hi to all,
>
> we have 4 ldap-provider ldap1.example.net to ldap4.example.net. We
> securing the replication via kerberos, everything works fine between the
> providers. But now we want to set up some consumers. Between the
> providers and the consumers a loadbalancer is located, so the consumers
> only connect to the loadbalancer and the loadbalancer chooses one of the
> providers. For the replication we put the fqdn from the loadbalancer
> into the configuration. The fqdn is ldap.example.net. We then created a
> host-principal and a service-principal for ldap.example.net and we put
> the host-key into /etc/krb5.keytab of all ldap-providers the same with
> the service-key. So now all provider can use both, the own keys and the
> keys from the loadbalancer. But it's not working :-(. In the log of the
> provider we see that the consumer connects. ldaps is working. But
> kerberos failed with the following messages:
> --------------------
> SASL [conn=5032] Failure: GSSAPI Error: Miscellaneous failure (see
> text) (Decrypt integrity check failed for checksum type
> hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96)
>
> slapd[59382]: conn=5032 op=0 RESULT tag=97 err=49 qtime=0.000028
> etime=0.017274 text=SASL(-13): authentication failure: GSSAPI Failure:
> gss_accept_sec_context
>
> --------------------
> The same user we are using works without using the loadbalancer. If our
> solution is wrong, what would be the right way to use a loadbalancer
> together with kerberos?
>
> Stefan
>
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3477 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.mit.edu/pipermail/kerberos/attachments/20220520/1bfe95d1/attachment.p7s>
More information about the Kerberos
mailing list