[38865] in Kerberos
RE: Load Balancing KCDs
daemon@ATHENA.MIT.EDU (Jonathan Towles)
Thu Feb 18 16:56:07 2021
From: Jonathan Towles <jjtowles@synterex.com>
To: Robbie Harwood <rharwood@redhat.com>,
"kerberos@mit.edu" <kerberos@mit.edu>
Date: Thu, 18 Feb 2021 21:53:19 +0000
Message-ID: <MN2PR15MB30710F9484F161CC530AD15DB9859@MN2PR15MB3071.namprd15.prod.outlook.com>
In-Reply-To: <jlgeehdt5d0.fsf@redhat.com>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Yeah I saw this also.
>From what I've read holistically, Putting your DCs behind a VIP tends to be problematic because the member server name doesn't match the name of the SPN thus it becomes vehemently unhappy.
I suppose you could possibly build an ASA similar to how you do Kerberos with Exchange and try to leverage that but I've read/heard there's a ton of reliability issues and you should just rely on the krb5.conf like:
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:750
admin_server = kerberos.mit.edu
master_kdc = kerberos.mit.edu
default_domain = mit.edu
Jon Towles
CTO, Synterex
(m) 978-609-5545
-----Original Message-----
From: Robbie Harwood <rharwood@redhat.com>
Sent: Thursday, February 18, 2021 4:48 PM
To: Jonathan Towles <jjtowles@synterex.com>; kerberos@mit.edu
Subject: Re: Load Balancing KCDs
Jonathan Towles <jjtowles@synterex.com> writes:
> Does anyone have experience putting DCs behind a network load balancer
> for Kerberos Authentication?
>
> Depending on who you ask, it doesn't really work. I wanted to ask the
> group to see if anyone has strong experience in doing it and if it's
> feasible?
I usually refer to Simo's post on this:
https://ssimo.org/blog/id_019.html
Thanks,
--Robbie
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
