Kerberos authentication and High availability

["Mustafa A. Hashmi" <mahashmi@gmail.com>]

Hi all,

I am looking for general feedback here from people running kerberized services behind linux-ha. This is of course not relevant to Heimdal directly, however, I am hoping people with similar setups can clear a few questions for me.

When a user request comes in to a linux-ha load balancer, for say 'imap' or 'pop', and the authentication mechinism used is GSSAPI, the load balancer redirects the request to an internal server. As an example, our organization has 2 mail servers which are sitting behind linux-ha. Clients connect to the hostname '
mail.domain.com', which reverses back to the IP 10.10.10.2. 

The actual target server IPS are 10.10.10.5 and 
10.10.10.6, with the hostnames node5.domain.com and node6.domain.com. The keytabs exported for the mail service hence house the service principals imap/node5.domain.com (and so on).

When a reverse look-up is done on the IP, the result is a mismatch on the hostname. I've had a few discussions where I have been informed that one approach to a resolve is to have the service scan through all keytab entries. This would in turn require modifications to say the imap/pop authentication service. As an example, one of the authors of Stanford's Webauth sent me a patch which does this for apache's kerberos module. 

Is this the correct approach? Should our services ensure that all keytab entries for the relevant service are scanned before rejecting authentication? 

I appreciate any feedback or hits on the head with a clue stick here.

Regards,
-- 
Mustafa A. Hashmi
mahashmi@gmail.com