[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos authentication and High availability

The client is going to get a service ticket for the load balancer.   
Probably no choice.  That's a good argument for not using load  
balancers, IMO.  Instead clients should have a standard list of  
CNAMEs to try.

That means the service must be configured to accept tickets for the  
load balancer's name.  For SASL-based services there is probably a  
hostname config parameter somewhere that you need to set to the load  
balancer name instead of the real local hostname.  This seems to work  
for LDAP servers.

For GSSAPI-based services you should arrange to use  
GSS_C_NO_CREDENTIAL as argument 3 to gss_accept_sec_context if you  
can.  (That's probably the patch for mod_auth_kerb you got.)  In that  
case it will accept whatever ticket matches an entry in the keytab file.

In both cases you need to put the correct stuff in the services'  
keytab files.

On Mar 14, 2007, at 12:59 AM, Mustafa A. Hashmi wrote:

> Hi all,
> I am looking for general feedback here from people running  
> kerberized services behind linux-ha. This is of course not relevant  
> to Heimdal directly, however, I am hoping people with similar  
> setups can clear a few questions for me.
> When a user request comes in to a linux-ha load balancer, for say  
> 'imap' or 'pop', and the authentication mechinism used is GSSAPI,  
> the load balancer redirects the request to an internal server. As  
> an example, our organization has 2 mail servers which are sitting  
> behind linux-ha. Clients connect to the hostname '  
> mail.domain.com', which reverses back to the IP
> The actual target server IPS are and, with  
> the hostnames node5.domain.com and node6.domain.com. The keytabs  
> exported for the mail service hence house the service principals  
> imap/node5.domain.com (and so on).
> When a reverse look-up is done on the IP, the result is a mismatch  
> on the hostname. I've had a few discussions where I have been  
> informed that one approach to a resolve is to have the service scan  
> through all keytab entries. This would in turn require  
> modifications to say the imap/pop authentication service. As an  
> example, one of the authors of Stanford's Webauth sent me a patch  
> which does this for apache's kerberos module.
> Is this the correct approach? Should our services ensure that all  
> keytab entries for the relevant service are scanned before  
> rejecting authentication?
> I appreciate any feedback or hits on the head with a clue stick here.
> Regards,
> -- 
> Mustafa A. Hashmi
> mahashmi@gmail.com

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu