My basic objection to a load balancer is that Kerberos was designed to
do its own failover without one.
Kerberos was also originally designed to require FQDN's to uniquely map
to the destination IP numbers. Violations of those assumptions
deserved to fail because they might indicate some
On Tue, 2004-10-05 at 23:03, Ken Raeburn wrote:
I think there are better solutions to that. (1) Create a DNS name
which points to multiple addresses; typically the nameserver will
change the order randomly, which will effect some load balancing. (2)
Use DNS SRV records to return the names
On Wed, 2004-10-06 at 00:23, Frank Cusack wrote:
balancer, have all of the KDC's share one hostname. Our kadmin server
can also share that hostname.
kerberos:88 - points to our KDC's
kerberos:749 - point to our admin server
Isn't that broken? You can't load balance the admin server
Isn't that broken? You can't load balance the admin server because
MIT isn't multi-master. For DR it's just as easy to bring up a new
server with the old server's IP.
No, it's not broken. The kadmin server that's active responds to the
request. If my admin server goes down I can promote one
On Wed, Oct 06, 2004 at 09:59:06AM -0400, Ken Hornstein wrote:
And let me echo the comments of others: we've run our Kerberos servers on
the oldest, crappiest hardware we've had kicking around the dustbin (we
upgrade it occasionally, but it's always to the latest crappiest system
we've got
And let me echo the comments of others: we've run our Kerberos servers on
the oldest, crappiest hardware we've had kicking around the dustbin (we
upgrade it occasionally, but it's always to the latest crappiest system
we've got laying around). I seriously doubt you're going to need a load
: [EMAIL PROTECTED] on behalf of Tillman Hodgson
Sent: Wed 10/6/2004 11:46 AM
To: [EMAIL PROTECTED]
Subject: Re: Kerberos behind load balancer?
On Wed, Oct 06, 2004 at 09:59:06AM -0400, Ken Hornstein wrote:
And let me echo the comments of others: we've run our Kerberos servers on
the oldest
On Wed, Oct 06, 2004 at 12:07:23PM -0500, Kasundra, Digant wrote:
I agree that the load is not an issue. But with out DNS round-robin,
and without the load-balancer, we'd have to arbitrarily point our
systems and services at one of the slaves. If that slave goes down,
we'd have to scramble
If we could modify DNS to do DNS round-robin, we too would be okay. But
we can't.
This is the part I don't understand. _WHY_ do you think you need
this? I've literally run 6 years with a very simple setup: two KDCs,
each one listed in DNS and our krb5.conf. On the rare occasions we
lose a
Anycast looks promising.
-Original Message-
From: [EMAIL PROTECTED] on behalf of Tillman Hodgson
Sent: Wed 10/6/2004 12:15 PM
To: [EMAIL PROTECTED]
Subject: Re: Kerberos behind load balancer?
On Wed, Oct 06, 2004 at 12:07:23PM -0500, Kasundra, Digant wrote:
I agree that the load
and bound by other politics to not
do it the way everyone else is.
-- DK
-Original Message-
From: [EMAIL PROTECTED] on behalf of Ken Hornstein
Sent: Wed 10/6/2004 12:14 PM
To: [EMAIL PROTECTED]
Subject: Re: Kerberos behind load balancer?
If we could modify DNS to do DNS round-robin, we too
How do you list both in DNS? Are you implying that in DNS you only have
(for instance) kerb1.mit.edu and kerb2.mit.edu and list both machines as
KDCs in the krb5.conf. If so, the app then randomly picks a KDC and
tries that and if that fails, it rolls over to the next? You then build
that
: [EMAIL PROTECTED] on behalf of Tillman Hodgson
Sent: Wed 10/6/2004 12:15 PM
To: [EMAIL PROTECTED]
Subject: Re: Kerberos behind load balancer?
On Wed, Oct 06, 2004 at 12:07:23PM -0500, Kasundra, Digant wrote:
I agree that the load is not an issue. But with out DNS round-robin,
and without
Jason == Jason T Hardy [EMAIL PROTECTED] writes:
Jason Sam, Actually, a load balancer simplifies client deployment
Jason in our case (we can't utilize DNS load balancing on our
Jason campus). We can, with a load balancer, have all of the
Jason KDC's share one hostname. Our kadmin
Jason can correct me if I'm wrong, but the internal politics here would not allow us
to do this. I'm not 100% sure, however.
-Original Message-
From: [EMAIL PROTECTED] on behalf of Ken Hornstein
Sent: Wed 10/6/2004 12:41 PM
To: [EMAIL PROTECTED]
Subject: Re: Kerberos behind load
The load balancer is simply another failure point.
As is everything else.
However load balancers are complicated devices and more prone to
failure.
WHOA! - Yes load balancers can be complicated if you want to use all
the features, but prone to failure?? where do you get that from?
We have
On Wed, 2004-10-06 at 12:52, Sam Hartman wrote:
Jason == Jason T Hardy [EMAIL PROTECTED] writes:
Jason Sam, Actually, a load balancer simplifies client deployment
Jason in our case (we can't utilize DNS load balancing on our
Jason campus). We can, with a load balancer, have all
I guess the problem that everyone is having with our deployment is the
term load-balancer. We don't actually want to easy the load off of our
KDC's, we just want provide a seamless way of ensuring availability in
the event that we lose one (or more) of them. I think it's true for
everyone who's
On Wed, 6 Oct 2004 19:31:19 + (UTC) [EMAIL PROTECTED] (Jason T Hardy) wrote:
I guess the problem that everyone is having with our deployment is the
term load-balancer. We don't actually want to easy the load off of our
...
Good, because:
You'll say that DNS is the answer. I would agree.
On Wed, 6 Oct 2004 19:21:19 + (UTC) [EMAIL PROTECTED] (Gary LaVoy) wrote:
The load balancer is simply another failure point.
As is everything else.
However load balancers are complicated devices and more prone to
failure.
WHOA! - Yes load balancers can be complicated if you want to use
Sticking your KDC behind a load balancer seems like a singularly bad
idea. It's going to introduce a lot of complexity for no real
benefit.
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
Sam,
Actually, a load balancer simplifies client deployment in our case (we
can't utilize DNS load balancing on our campus). We can, with a load
balancer, have all of the KDC's share one hostname. Our kadmin server
can also share that hostname.
kerberos:88 - points to our KDC's
kerberos:749 -
On Oct 5, 2004, at 23:15, Jason T Hardy wrote:
Sam,
Actually, a load balancer simplifies client deployment in our case (we
can't utilize DNS load balancing on our campus). We can, with a load
balancer, have all of the KDC's share one hostname. Our kadmin server
can also share that hostname.
On Wed, 6 Oct 2004 03:59:35 + (UTC) [EMAIL PROTECTED] (Jason T Hardy) wrote:
Sam,
Actually, a load balancer simplifies client deployment in our case (we
can't utilize DNS load balancing on our campus). We can, with a load
Don't need DNS load balancing (and it's broken anyway).
balancer,
Hello folks,
We just bought ourselves a nifty little NetScaler load balancing router.
But we can't seem to make it work with Kerberos. I believe we're
supposed to setup the balancer to forward on the source IP and add a
loopback address (not sure how) that listens to the same virtual IP and
25 matches
Mail list logo
