Binding kadmind to a specific virtual IP

JUNG, Christian christian.jung at
Wed Sep 17 03:35:27 EDT 2008


I've seen a similar posting on the mailing list (see <>):

On Nov 12, 2007, at 09:08, Shivakeshav Santi wrote:
>     Does kerberos provide an option where one could bind the krb5kdc,
> kadmind,kadmind4 and krb524d to a specific virtual IP. I have a  
> machine (set of machines) which have multiple virtual ips, so can I 
> bind KDC to a single IP . Right now it listens on all IPs.

I'd like to build a HA cluster. We do this the following way:

Let's have two nodes. Every node got its own IP (node 1:, node 2: The cluster itself has the IP which is only active on one node (e.g. node 1).

Every service gets his own IP too (e.g. kerberos My problem: If a user makes a password change request via kpasswd, she sends a UDP packet to the kadmind process listening on port 464. kadmind then makes the password change and sends the answer to the client via UDP. 

But the answer of kadmind comes from the first assigned IP of the interface the kernel sends out the packet. Assuming Kerberos is running on node 2 this would be instead of

This is annoying because the clients prints out the message 'kpasswd: Incorrect net address changing password' despite the fact, that the password change was successful.

I'd like to implement a generic way to tell all core services of the MIT Kerberos implementation to which IPs/Ports they should bind. Does anybody has got suggestions for this topic?


phone: +49 6898/10-4987
web  :
mail : Hofstattstraße 106a
       D 66333 Voelklingen

More information about the krbdev mailing list