Kerberized NFS (GSS-API) problem with multiple-IP Address and single hostname

Derek Atkins warlord at MIT.EDU
Tue Jan 4 08:54:53 EST 2011


sandeep patil <san_patil at> writes:

> To be specific;
> I have kerberized NFS server running on 3 separate machine (exporting the same share) where ever machine has a different IP address but the same hostname (In other words the hostname is associated with 3 IP-address- for general load balancing using DNS). Now when I acquire kerberos credentials from a client machine and mount the NFS share against the hostname ,it fails. The reason it seems to fail is because when the gss-api handshake takes place between the NFS client and NFS server , the kerberos/gss-api library always tends to resolve the hostname to ipaddress and in this case ends up getting different IP address.  So looks like when we mount NFS, the first part of the gss-api handshake takes place with one machine and in the next iteration it goes to a different machine ( where there is no gss-api context) and hence it fails.

I don't think the problem is that results in multiple
IP Addresses.  I think the problem is that the reverse-resolution of the
IP Addresses result in 3 different names!  I suspect it's trying to use
the reverse-resolution to find the name to use for kerberos.

> The same setup works fine when we keep only one NFS server machine up and running which cross confirms our above understanding. Also the ip traces helps confirm the above.
> So my question is,how can such a scenario be tackled?
> One way is to hardcode the ipaddress of NFS server machine on all NFS client machine - but this defeats the entire purpose of doing it thru DNS...Any Clues ?
> The above seems to be similar to a multi-home machine ,but is significantly different as in a multi-home machine its the same machine with 3 IP address,unlike in this case its 3 machine with 3 IP address and same hostname.

What happens if you add DNS PTR records for all three IP addresses and
map back to the primary name?

> Inputs/advice appreciated.
> -S
> _______________________________________________
> krbdev mailing list             krbdev at


       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL:    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available

More information about the krbdev mailing list