Kerberos through loadbalancer

[Russ Allbery]

Stefan Kania <stefan at kania-online.de> writes:

> we have 4 ldap-provider ldap1.example.net to ldap4.example.net. We
> securing the replication via kerberos, everything works fine between the
> providers. But now we want to set up some consumers. Between the
> providers and the consumers a loadbalancer is located, so the consumers
> only connect to the loadbalancer and the loadbalancer chooses one of the
> providers. For the replication we put the fqdn from the loadbalancer
> into the configuration. The fqdn is ldap.example.net. We then created a
> host-principal and a service-principal for ldap.example.net and we put
> the host-key into /etc/krb5.keytab of all ldap-providers the same with
> the service-key. So now all provider can use both, the own keys and the
> keys from the loadbalancer. But it's not working :-(.

Two things to check:

First, how did you put the service kep for ldap/ldap.example.net onto each
host?  If you used ktadd via kadmin, you alas did not do that.  Each time
you downloaded the keytab entry, ktadd randomized the key again, so only
the last host on which you put the key has a correct key and all of the
rest have incorrect keys.

You have to either manually copy the keytab file between hosts without
running ktadd again, or somehow use -norandkey to generate the keytab
entry.

If that's not the problem, it used to be that you had to apply a one-line
patch to Cyrus SASL to prevent it from forcing Kerberos to only use the
keytab entry that it thought corresponded to the local hostname, which
otherwise would prevent this trick from working.  I thought Cyrus SASL
upstream had finally taken that patch and included it in a release, but
maybe you're using an old version of Cyrus SASL?  I don't remember what
error message that used to produce, though, so maybe this is a different
problem.

-- 
Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>