On Tue, 2015-03-31 at 13:21 -0400, Brendan Kearney wrote:
> On Tue, 2015-03-31 at 12:53 -0400, Simo Sorce wrote:
> > On Tue, 2015-03-31 at 11:41 -0400, Brendan Kearney wrote:
> > > On Tue, 2015-03-31 at 11:07 -0400, Dmitri Pal wrote:
> > > > On 03/31/2015 10:38 AM, Matt . wrote:
> > > > > True, but we have some extra later between which does the cli command
> > > > > not usable (at least for the moment)
> > > > >
> > > > > I already know how to share the key's among all servers, that works
> > > > > fine, IPA/Apache/Kerberos only doesn't like the other hostname
> > > > > (loadbalancer), or the client doesn't understand it.
> > > > >
> > > > > So fixing this saves me really much more time than doing the another 
> > > > > way.
> > > > 
> > > > Kerberos is not load balancer friendly. It is something that is a known 
> > > > property of Kerberos.
> > > > I remember MIT mentioning something that they did or might do to help 
> > > > with that so it might make sense to ask this question on the MIT 
> > > > Kerberos user list.
> > > > 
> > > > >
> > > > > Thanks!
> > > > >
> > > > > Matt
> > > > >
> > > > > 2015-03-31 16:24 GMT+02:00 Petr Spacek <pspa...@redhat.com>:
> > > > >> On 31.3.2015 16:10, Matt . wrote:
> > > > >>> HI Petr,
> > > > >>>
> > > > >>> We had a several of reasons why we did that. We wanted to use one
> > > > >>> language for that, and also have formatted returns. There was also
> > > > >>> some security issue which came up.
> > > > >> I would be very interested in the security reason. If you see any 
> > > > >> problem with
> > > > >> 'ipa' command or FreeIPA API please send me a private e-mail or 
> > > > >> contact
> > > > >> secal...@redhat.com directly.
> > > > >>
> > > > >>> I could ask you, why does IPA json itself ? if you see what it posts
> > > > >>> and what it gets back as result it makes it much more clear in
> > > > >>> development.
> > > > >> I do not understand the question, sorry.
> > > > >>
> > > > >> If you want to see what 'ipa' command does run it with '-vv' 
> > > > >> parameter:
> > > > >> $ ipa -vv user-find
> > > > >>
> > > > >> It will print JSON request and reply:
> > > > >> ipa: INFO: Request: {
> > > > >>      "id": 0,
> > > > >>      "method": "user_find",
> > > > >>      "params": [
> > > > >>          [
> > > > >>              null
> > > > >>          ],
> > > > >>          {
> > > > >>              "all": false,
> > > > >>              "no_members": false,
> > > > >>              "pkey_only": false,
> > > > >>              "raw": false,
> > > > >>              "version": "2.115",
> > > > >>              "whoami": false
> > > > >>          }
> > > > >>      ]
> > > > >> }
> > > > >> ipa: INFO: Response: {
> > > > >>      "error": null,
> > > > >>      "id": 0,
> > > > >>      "principal": "admin@IPA.EXAMPLE",
> > > > >>      "result": {
> > > > >>          "count": 2,
> > > > >>          "result": [
> > > > >>              {
> > > > >>                  "dn": 
> > > > >> "uid=admin,cn=users,cn=accounts,dc=ipa,dc=example",
> > > > >>                  "gidnumber": [
> > > > >>                      "1381000000"
> > > > >>                  ],
> > > > >> ...
> > > > >>
> > > > >>
> > > > >>> HTTP loadbalancing is not difficult at all, as we post to the
> > > > >>> webserver I need to have that part only auth right. We do more very
> > > > >>> specific loadbalancing stuff and this is the most easy one as it's
> > > > >>> only webserver forward, but IPA/Kerberos has an issue with the
> > > > >>> principal it seems... it cannot be hard to make that accepted I 
> > > > >>> would
> > > > >>> say.
> > > > >> If you insist on Kerberos servers behind a load balancer... you will 
> > > > >> need to
> > > > >> somehow share the Kerberos key among all servers. I will defer that 
> > > > >> to
> > > > >> Kerberos experts here.
> > > > >>
> > > > >>> I'm still looking for solutions :)
> > > > >> Sure, but you will save a lot of time and nerves if you simply call 
> > > > >> 'ipa'
> > > > >> command :-)
> > > > >>
> > > > >> Have a nice day!
> > > > >>
> > > > >> Petr^2 Spacek
> > > > >>
> > > > >>> Cheers,
> > > > >>>
> > > > >>> Matt
> > > > >>>
> > > > >>> 2015-03-31 15:58 GMT+02:00 Petr Spacek <pspa...@redhat.com>:
> > > > >>>> On 31.3.2015 15:23, Matt . wrote:
> > > > >>>>> Hi Petr,
> > > > >>>>>
> > > > >>>>> We discussed that before indeed, but SRV is not usable in this 
> > > > >>>>> case.
> > > > >>>>>
> > > > >>>>> My clients are just webservers (apache) doing some executes of 
> > > > >>>>> CURL
> > > > >>>>> commands to ipa/json, actually the same commands as the webgui 
> > > > >>>>> does
> > > > >>>>> using json, but we curl it.
> > > > >>>>>
> > > > >>>>> Do you have a better view now ?
> > > > >>>> Yes. If you have seen the previous discussion then you know that 
> > > > >>>> it will be
> > > > >>>> pretty difficult to do this kind of load balancing.
> > > > >>>>
> > > > >>>> Why are you not using 'ipa' command or Python API we have instead? 
> > > > >>>> Why to use
> > > > >>>> CURL and make things more complex?
> > > > >>>>
> > > > >>>> Petr^2 Spacek
> > > > >>>>
> > > > >>>>> 2015-03-31 15:03 GMT+02:00 Petr Spacek <pspa...@redhat.com>:
> > > > >>>>>> On 31.3.2015 14:35, Matt . wrote:
> > > > >>>>>>> Hi Petr,
> > > > >>>>>>>
> > > > >>>>>>> As this is not my topic it's for me quite "simple".
> > > > >>>>>>>
> > > > >>>>>>> I need to post to /ipa/json through a loadbalancer, nothing 
> > > > >>>>>>> more.
> > > > >>>>>>>
> > > > >>>>>>> i have
> > > > >>>>>>>
> > > > >>>>>>> ldap-01.domain.tld (ipa1)
> > > > >>>>>>> ldap-01.domain.tld (ipa2)
> > > > >>>>>>>
> > > > >>>>>>> and my loadbalancer is ldap.domain.tld
> > > > >>>>>>>
> > > > >>>>>>> ldap requests over a loadbalancer are quite simple and working, 
> > > > >>>>>>> but
> > > > >>>>>>> the json part is more difficult because of the ticket and the 
> > > > >>>>>>> dns
> > > > >>>>>>> name. I have added a san ldap.domain.tld to the webgui and 
> > > > >>>>>>> there is a
> > > > >>>>>>> http/ldap.domain.tld service on the ipa server.
> > > > >>>>>>>
> > > > >>>>>>> I get a nonvalid kerberos ticket when I go through 
> > > > >>>>>>> ldap.domain.tld to
> > > > >>>>>>> ldap-01.domain.tld, but when I change my script to 
> > > > >>>>>>> ldap-01.domain.tld
> > > > >>>>>>> after it failed my ticket is OK for ldap-01.domain.tld and 
> > > > >>>>>>> works.
> > > > >>>>>>>
> > > > >>>>>>> Is this enough information for you ?
> > > > >>>>>> Well, I still do not understand the use case. What are your 
> > > > >>>>>> clients? Are you
> > > > >>>>>> using 'ipa' command to do something? Or some other clients?
> > > > >>>>>>
> > > > >>>>>> Usually the best thing is to use DNS SRV records because it 
> > > > >>>>>> works even with
> > > > >>>>>> geographically distributed clusters and does not have single 
> > > > >>>>>> point of failure
> > > > >>>>>> (the load balancer).
> > > > >>>>>>
> > > > >>>>>> This requires clients with support for DNS SRV but if your 
> > > > >>>>>> machines are using
> > > > >>>>>> SSSD then you do not need to change anything and it should just 
> > > > >>>>>> work.
> > > > >>>>>>
> > > > >>>>>> That is why I'm asking for the use case :-)
> > > > >>>>>>
> > > > >>>>>> Petr^2 Spacek
> > > > >>>>>>
> > > > >>>>>>> 2015-03-31 14:21 GMT+02:00 Petr Spacek <pspa...@redhat.com>:
> > > > >>>>>>>> On 31.3.2015 14:02, Matt . wrote:
> > > > >>>>>>>>> HI Phasant,
> > > > >>>>>>>>>
> > > > >>>>>>>>> Check my mailings about it, it's not easy at least the 
> > > > >>>>>>>>> kerberos part
> > > > >>>>>>>>> not, SRV records are used for that normally.
> > > > >>>>>>>>>
> > > > >>>>>>>>> Are you talking about the webgui or the ldap part ?
> > > > >>>>>>>> I would recommend you to step back and describe use-case you 
> > > > >>>>>>>> have in mind. It
> > > > >>>>>>>> is important for us to understand to your use-case to propose 
> > > > >>>>>>>> optimal solution.
> > > > >>>>>>>>
> > > > >>>>>>>> Petr^2 Spacek
> > > > >>>>>>>>
> > > > >>>>>>>>> Cheers,
> > > > >>>>>>>>>
> > > > >>>>>>>>> Matt
> > > > >>>>>>>>>
> > > > >>>>>>>>> 2015-03-31 13:56 GMT+02:00 Prashant Bapat 
> > > > >>>>>>>>> <prash...@apigee.com>:
> > > > >>>>>>>>>> Hi,
> > > > >>>>>>>>>>
> > > > >>>>>>>>>> I'm trying to get 2 FreeIPA servers in a replicated mode 
> > > > >>>>>>>>>> behind a load
> > > > >>>>>>>>>> balancer, specifically Amazon ELB.
> > > > >>>>>>>>>>
> > > > >>>>>>>>>> I started with editing the 
> > > > >>>>>>>>>> /etc/httpd/conf.d/ipa-rewrite.conf but looks like
> > > > >>>>>>>>>> there is more to it than just this file.
> > > > >>>>>>>>>>
> > > > >>>>>>>>>> Any suggestions ?
> > > > >>>>>>>>>>
> > > > >>>>>>>>>> Thanks.
> > > > >>>>>>>>>> --Prashant
> > > > 
> > > > 
> > > > -- 
> > > > Thank you,
> > > > Dmitri Pal
> > > > 
> > > > Sr. Engineering Manager IdM portfolio
> > > > Red Hat, Inc.
> > > > 
> > > 
> > > kerberos is load balancer friendly, if you pet it nicely.
> > > 
> > > you generate a principal for the VIP.  you then create a keytab for the
> > > VIP.  you distribute the keytab via SCP (or other secure method) to all
> > > load balanced pool members.  you must distribute the same exact keytab
> > > to all devices.  the KVNO for the VIP principal must match in all copies
> > > put on the pool members.  use "klist -Kket /path/to/file.keytab" to
> > > validate this on all pool members.
> > > 
> > > there are additional steps you may want to take, in order to add the
> > > individual principal(s) to the same keytab, so that you can access the
> > > pool members themselves (not via the VIP).  this requires that you
> > > distribute the keytab as above, and then add the individual principals
> > > to the local copy of the keytab file.
> > > 
> > > example:
> > > 
> > > you have created the principal ldap/ldap.domain.tld for your VIP
> > > you have created the keytab for ldap/ldap.domain.tld as ~/ldap.keytab
> > > you have copied the keytab file ~/ldap.keytab to server1, server2 and
> > > server3 as /etc/ldap.keytab
> > > 
> > > you ssh to server1 and run kadmin.
> > > you then add a principal ldap/server1.domain.tld
> > > you then add the principal ldap/server1.domain.tld to the already
> > > existing keytab /etc/ldap.keytab.
> > > quit kadmin
> > > 
> > > when you run "klist -Kket /etc/ldap.keytab" you should see two
> > > principals in it.  the VIP name and the hostname.
> > > 
> > > lather, rinse, repeat for all servers.
> > > 
> > > keep in mind the administrative overhead of changing names of servers or
> > > VIPs.
> > > 
> > > there are other tricks for doing kerberos stuff.  i use the same VIP,
> > > but different ports in order to access an individual host/service behind
> > > the load balancer.  this works because the name (of the VIP) stays the
> > > same and i just point a different front end port to an individual
> > > backend device/port.
> > > 
> > 
> > This is all true if you just accept connections.
> > 
> > (Un?)fortunately we use delegation within IPA, which requires to use a
> > local key to contact the KDC. This action "fixates" what key we are
> > going to use to accept incoming context establishment requests. If a
> > principal name is not specified then the selected key is usually the
> > first in the keytab.
> > 
> > In an IPA setup that will usually be the server's specific key.
> > 
> > In order to use multiple keys in conjunction with IPA we'd have to
> > explicitly support. I am not sure if the SSL layer records which name
> > was used (perhaps it does if SNI is used, but almost certainly not is
> > SAN are used), or if multiple virtual hosts need to be used.
> > If we can know what name the client used then we could modify
> > mod_auth_gssapi to select a specific name to acquire creds and then
> > accept the connection with the correct keys. (Another option would be to
> > explicitly retry with each available key if something fails).
> > 
> > I am afraid I won't try to coerce mod_auth_kerb to do that, so this
> > option is probably something we can do only post 4.2 and only if we can
> > make appropriate modifications.
> > 
> > Simo.
> > 
> the below works for me on apache2.4, with mod_auth_kerb, MIT Kerberos V
> and OpenLDAP.  I run HAProxy, which holds the A/PTR records for
> www.bpk2.com, and load balances to each of the instances i have running
> behind it.  Fedora 20 with latest everything...
> 
>     AuthType Kerberos
>     AuthName "Enter your credentials"
>     KrbMethodNegotiate On
>     KrbMethodK5Passwd On
>     KrbSaveCredentials On
>     KrbAuthRealms BPK2.COM
>     Krb5KeyTab /etc/httpd/conf.d/httpd.keytab
>     KrbServiceName "HTTP/www.bpk2....@bpk2.com"
>     KrbLocalUserMapping On
>     KrbDelegateBasic Off
>     KrbAuthoritative Off
> 
> KrbServiceName explicitly sets the principal to be used.  because of
> this, i use the front end trick with port on the VIP to access a
> specific pool memeber (www:80 --> load balanced via least connections to
> all pool members, www:81 --> server1:80, www:82 --> server2:80)

Yes, this will work, most kerberized services can work this way, as you
can just use a single common key for all the servers and force
everything to go through the load balancer.

But IPA is more complex and some operations will be performed directly
against the specific server name, so you need to keep 2 sets of keys
(one for the server name and one for the load balancer name), but that
does not work right now.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to