Kerberos through loadbalancer

[Stefan Kania]

Hi Russ

Am 20.05.22 um 18:45 schrieb Russ Allbery:
> Stefan Kania <stefan at kania-online.de> writes:
> 
>> we have 4 ldap-provider ldap1.example.net to ldap4.example.net. We
>> securing the replication via kerberos, everything works fine between the
>> providers. But now we want to set up some consumers. Between the
>> providers and the consumers a loadbalancer is located, so the consumers
>> only connect to the loadbalancer and the loadbalancer chooses one of the
>> providers. For the replication we put the fqdn from the loadbalancer
>> into the configuration. The fqdn is ldap.example.net. We then created a
>> host-principal and a service-principal for ldap.example.net and we put
>> the host-key into /etc/krb5.keytab of all ldap-providers the same with
>> the service-key. So now all provider can use both, the own keys and the
>> keys from the loadbalancer. But it's not working :-(.
> 
> Two things to check:
> 
> First, how did you put the service kep for ldap/ldap.example.net onto each
> host?  If you used ktadd via kadmin, you alas did not do that.  Each time
> you downloaded the keytab entry, ktadd randomized the key again, so only
> the last host on which you put the key has a correct key and all of the
> rest have incorrect keys.
We created one keytab for each host and each service. One ldap-key for
each ldap(1..4).example.net and one for ldap.example.net We then put the
key from ldap.example.net to all ldap(1..4).keytab with ktutil. We
checked the KVNO and everything is ok there. So no two different keys.
> 
> You have to either manually copy the keytab file between hosts without
> running ktadd again, or somehow use -norandkey to generate the keytab
> entry.
> 
> If that's not the problem, it used to be that you had to apply a one-line
> patch to Cyrus SASL to prevent it from forcing Kerberos to only use the
> keytab entry that it thought corresponded to the local hostname, which
> otherwise would prevent this trick from working.  I thought Cyrus SASL
> upstream had finally taken that patch and included it in a release, but
> maybe you're using an old version of Cyrus SASL?  I don't remember what
> error message that used to produce, though, so maybe this is a different
> problem.
We use debian 11 and the packages from Debian. Do you have some more
information about the patch?
> 

We use use "Layer 4 Load Balancing Direct Server Return Mode" on the
loadbalancer. So now NAT. So only the MAC-address is changed on the
loadbalancer. The consumer is only talking to ldap.example.net, the
loadbalancer.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3477 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.mit.edu/pipermail/kerberos/attachments/20220527/6a89b6cf/attachment.p7s>