[39100] in Kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
Kerberos through loadbalancer

daemon@ATHENA.MIT.EDU (Stefan Kania)
Fri May 20 03:45:56 2022

Message-ID: <8bca181e-086d-2fb1-037a-0975962a9be9@kania-online.de>
Date: Fri, 20 May 2022 09:41:20 +0200
MIME-Version: 1.0
To: <kerberos@mit.edu>
Content-Language: en-US
From: Stefan Kania <stefan@kania-online.de>
Content-Type: multipart/mixed; boundary="===============6061194670881782565=="
Errors-To: kerberos-bounces@mit.edu

--===============6061194670881782565==
Content-Language: en-US
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms030609020100050707040805"

--------------ms030609020100050707040805
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Hi to all,

we have 4 ldap-provider ldap1.example.net to ldap4.example.net. We
securing the replication via kerberos, everything works fine between the
providers. But now we want to set up some consumers. Between the
providers and the consumers a loadbalancer is located, so the consumers
only connect to the loadbalancer and the loadbalancer chooses one of the
providers. For the replication we put the fqdn from the loadbalancer
into the configuration. The fqdn is ldap.example.net. We then created a
host-principal and a service-principal for ldap.example.net and we put
the host-key into /etc/krb5.keytab of all ldap-providers the same with
the service-key. So now all provider can use both, the own keys and the
keys from the loadbalancer. But it's not working :-(. In the log of the
provider we see that the consumer connects. ldaps is working. But
kerberos failed with the following messages:
--------------------
SASL [conn=5032] Failure: GSSAPI Error:  Miscellaneous failure (see
text) (Decrypt integrity check failed for checksum type
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96)

slapd[59382]: conn=5032 op=0 RESULT tag=97 err=49 qtime=0.000028
etime=0.017274 text=SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context

--------------------
The same user we are using works without using the loadbalancer. If our
solution is wrong, what would be the right way to use a loadbalancer
together with kerberos?

Stefan




--------------ms030609020100050707040805
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
CdEwggSUMIIDfKADAgECAghoLCY2SG4frzANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJE
RTEzMDEGA1UECgwqREdOIERldXRzY2hlcyBHZXN1bmRoZWl0c25ldHogU2VydmljZSBHbWJI
MSIwIAYDVQQDDBlkZ25zZXJ2aWNlIENBIDIgVHlwZSBFOlBOMB4XDTIxMTAwMzE0MzMwM1oX
DTIyMTAwMzE0MzMwM1owbjELMAkGA1UEBhMCREUxITAfBgNVBAUTGDQwMDAwMDAwNjE1OWMx
N2QyYmZjMTAyYzEVMBMGA1UEAwwMU3RlZmFuIEthbmlhMSUwIwYJKoZIhvcNAQkBFhZzdGVm
YW5Aa2FuaWEtb25saW5lLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr4L6
+t8YsmErxzkeCgfmXRrQQEHJQyZQxYPObVLOqodpHjkmMnYHYjplhHyxcAaJKNuCoAv941t1
iH1Lu12yOQS2yRE7xNAcoPx/acnZo5M7dAJOJ8JTmTYFbKkNGSNT7PJpA1xrxjuIRgXnEg/N
1nDKaSRIDrMyjDdUsa/mFKi1fp8/CvDIg/oL0Z0FuB6BsZHnshP+leRSjEDARmhkC8ifiDKo
EMqiLVU1CqHgidRWM/aPYKpJ8zOQCUvZsIID4Vy393nJytuCBAUz9jCuDXwaFI7x2+yhg2VZ
qZgURJlwwwgXk7DUCtXV5Jm8fyJQQT41MEb+IBVTqW+lEx+qkwIDAQABo4IBPDCCATgwHQYD
VR0OBBYEFN3Lma+ERE52zn+UO6mQL8KOfmWpMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU
6caT0dUPBmRy6mqWProQ8lRUsnkwVgYDVR0gBE8wTTBLBgwrBgEEAfsrAgEDAggwOzA5Bggr
BgEFBQcCARYtaHR0cDovL3NlYzUuZGduc2VydmljZS5kZS9wb2xpY2llcy9pbmRleC5odG1s
MD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9zZWM1LmRnbnNlcnZpY2UuZGUvY3JsL2NybDIt
dHlwZS1lLmNybDAOBgNVHQ8BAf8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF
BwMEMCEGA1UdEQQaMBiBFnN0ZWZhbkBrYW5pYS1vbmxpbmUuZGUwDQYJKoZIhvcNAQELBQAD
ggEBAM4bjRa/F8JdiKUN4vUmR/T/+JgCfYWpIhZM/4G6otEeQH/3yZSjsSw6KakUGlUzrhga
B2bLyqjGwa7AjpwfuipQy0PRuKxZm5Lk7DDa3iIY4vqftpC2F5YMyb7yW2fLAOsnW3U4z44L
cyKOuThoyXtrK4klUuqg0PjCDRhPlsjB/E+ITF1Jb0zRFY55flsoaCey1Cghpe7yTqxaWbSG
MR8r10FYGbBDy7j/kXbKGYm9e2fX2SitrDeZrjtTkvraFdNrnWx4BGyYEzflTfkOFZQGLRPD
pRjkzsxZ8Lf/Ew3tEUEdk41ACOo+r8GM4riMms7zhn6hJxEQF3KIp8NxFT0wggU1MIIEHaAD
AgECAghVHErXZq0l9jANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJERTEzMDEGA1UECgwq
REdOIERldXRzY2hlcyBHZXN1bmRoZWl0c25ldHogU2VydmljZSBHbWJIMR0wGwYDVQQDDBRk
Z25zZXJ2aWNlIFJvb3QgNzpQTjAeFw0xNjEwMjYwOTIyNDFaFw0yNDEwMjYwOTIyNDFaMGYx
CzAJBgNVBAYTAkRFMTMwMQYDVQQKDCpER04gRGV1dHNjaGVzIEdlc3VuZGhlaXRzbmV0eiBT
ZXJ2aWNlIEdtYkgxIjAgBgNVBAMMGWRnbnNlcnZpY2UgQ0EgMiBUeXBlIEU6UE4wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDcpfKUP3THo0fSl2bOa6PNbRcDYZaE4ZV3vLGr
e/U445OsRahORPeP/9L4nycTK6fUawpDTqOaDxtXYxjoJNC9LnKRxVB/UkBf0h25vN0L1iV4
KhCaY8TimV0z2yUSlb2NuZ4gdBU69qJkasqYj+AP8OcQOo0idj9Nr1eloHD32i0JDPkhBj8V
f6c6b7mNyn8yfZYvZlzzV2iQ/cvo6iFLx2wgG7mCkOZ8BAHGDFw6T0UIA0Bk60YhRMRxI7GX
jMxBQA2Y/XXoP4dvQDDtMNmK0r5DUXof87w2brXctuQ2b4xNwFIErVoAQu8ftnXTm9iOtaOs
WyLMZX6v5szaQBqBAgMBAAGjggHqMIIB5jASBgNVHRMBAf8ECDAGAQH/AgEAMB8GA1UdIwQY
MBaAFAEMFht0ctM8FO4md7dJFFPY+4sbMFsGCCsGAQUFBwEBBE8wTTBLBggrBgEFBQcwAYY/
aHR0cDovL3JvY3NwLWRnbi5kZ25zZXJ2aWNlLmRlOjgwODAvZWpiY2EvcHVibGljd2ViL3N0
YXR1cy9vY3NwMGoGA1UdIARjMGEwXwYMKwYBBAH7KwIBBAIBME8wTQYIKwYBBQUHAgEWQWh0
dHA6Ly93d3cuZGduc2VydmljZS5kZS90cnVzdGNlbnRlci9wdWJsaWMvZGduc2VydmljZS9p
bmRleC5odG1sMIGZBgNVHR8EgZEwgY4wgYuggYiggYWGgYJsZGFwOi8vbGRhcC5kZ25zZXJ2
aWNlLmRlOjM4OS9DTj1DUkwtMSxPPURHTiUyMFNlcnZpY2UlMjBHbWJILEM9REU/Y2VydGlm
aWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBv
aW50MB0GA1UdDgQWBBTpxpPR1Q8GZHLqapY+uhDyVFSyeTAOBgNVHQ8BAf8EBAMCAQYwGwYJ
KwYBBAHAbQMFBA4wDAYKKwYBBAHAbQMFATANBgkqhkiG9w0BAQsFAAOCAQEAq7w5+kXJ+/xT
at0jiTX4GDX5HUeQohqAuLGfotHcqQqqjF8G6UUI0q4i0tnhHtldhZrNBOErgThGsToNZ1Y2
Gn0FRrcrUU9LnhSMwd1XJ0Je6ERSdEh4vXf8YxJQGZJPCPJcrblhue0mmwO9nbhKewGglht5
VWSHTS8vq5Da3zbxFG6lIdE62V4KqcMAiyY2BfL8guCPscTWl5txJrjb4ENo9nRqdzsXNEG3
yyzgmyv6znQ4pGgTe5E6qXx5bO6XCDoUK4Kz1S82PzR6hvcxKZo7kKK2ut2B3buwU8xqfw73
EMH8imv4LW/Sx59wKElKjijjHdNrFG/wMRobDYzMyTGCA4IwggN+AgEBMHIwZjELMAkGA1UE
BhMCREUxMzAxBgNVBAoMKkRHTiBEZXV0c2NoZXMgR2VzdW5kaGVpdHNuZXR6IFNlcnZpY2Ug
R21iSDEiMCAGA1UEAwwZZGduc2VydmljZSBDQSAyIFR5cGUgRTpQTgIIaCwmNkhuH68wDQYJ
YIZIAWUDBAIBBQCgggHhMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF
MQ8XDTIyMDUyMDA3NDEyMVowLwYJKoZIhvcNAQkEMSIEIBmKFFj8mlNZlQ3MHlsxit6/6dK4
oby6r87XUSJoazf4MGwGCSqGSIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQB
AjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcw
DQYIKoZIhvcNAwICASgwgYEGCSsGAQQBgjcQBDF0MHIwZjELMAkGA1UEBhMCREUxMzAxBgNV
BAoMKkRHTiBEZXV0c2NoZXMgR2VzdW5kaGVpdHNuZXR6IFNlcnZpY2UgR21iSDEiMCAGA1UE
AwwZZGduc2VydmljZSBDQSAyIFR5cGUgRTpQTgIIaCwmNkhuH68wgYMGCyqGSIb3DQEJEAIL
MXSgcjBmMQswCQYDVQQGEwJERTEzMDEGA1UECgwqREdOIERldXRzY2hlcyBHZXN1bmRoZWl0
c25ldHogU2VydmljZSBHbWJIMSIwIAYDVQQDDBlkZ25zZXJ2aWNlIENBIDIgVHlwZSBFOlBO
AghoLCY2SG4frzANBgkqhkiG9w0BAQEFAASCAQAGd0Xhdfsm5XyxtftXQLILUjvb3SurHqgW
LsaGZRQpJWzoL7+7CIIQLPiaSbulJYqMlAaTJgl81Oc3bN7auGZtwoUO0QobZXTEw1Ub3k0X
/4H18ozIw8fWQV1nL0pa/kgiZOUAWioiU7qhXvI3qbqLfguk1t9sTquvgPivNGPz2g2sg95W
X7ssipUYM0eKUbuE8Qv7iv0Sa96p/oiijUQ3SNoskAhty2+43toxdwpUiaVgypJdUm323q2N
+QFYiZn7wdjQlgaN4E0Z6gSKw2GjkxyNEkBIDl6ciGaWrQAJqd+zVNjjfYtc0bXJ2lhE2i+t
RI/+urML32Qr+iWBNspXAAAAAAAA
--------------ms030609020100050707040805--

--===============6061194670881782565==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

--===============6061194670881782565==--

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[39100] in Kerberos

Kerberos through loadbalancer

daemon@ATHENA.MIT.EDU (Stefan Kania)Fri May 20 03:45:56 2022

daemon@ATHENA.MIT.EDU (Stefan Kania)
Fri May 20 03:45:56 2022
