[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos authentication and High availability

Thanks for your e-mail. Please see some comments in-line.

On 4/3/07, Henry B. Hotz <hotz@jpl.nasa.gov> wrote:
The client is going to get a service ticket for the load balancer.
Probably no choice.  That's a good argument for not using load
balancers, IMO.  Instead clients should have a standard list of
CNAMEs to try.

Well it's not just load balancing, it's high availability which is also very important. Ensuring transparent fail-overs is paramount.

That means the service must be configured to accept tickets for the
load balancer's name.  For SASL-based services there is probably a
hostname config parameter somewhere that you need to set to the load
balancer name instead of the real local hostname.  This seems to work
for LDAP servers.

Actually the kerberos FAQ greatly helped as it addresses problems of this nature. I know this solution will probably be frowned upon, however, I simply set ptr records for multiple mail server IPs to resolve to mail.domain.com.

For GSSAPI-based services you should arrange to use
GSS_C_NO_CREDENTIAL as argument 3 to gss_accept_sec_context if you
can.  (That's probably the patch for mod_auth_kerb you got.)  In that
case it will accept whatever ticket matches an entry in the keytab file.

That exactly what we did for dovecot -- worked great. However, when using sasl and kerberos-v5 as the mech, reverse ptr records seemed like the simplest solution. 

In both cases you need to put the correct stuff in the services'
keytab files.

Keytabs were updated to hold smtp/mail.domain.com across all mail servers.

On Mar 14, 2007, at 12:59 AM, Mustafa A. Hashmi wrote:

> Hi all,
> I am looking for general feedback here from people running
> kerberized services behind linux-ha. This is of course not relevant
> to Heimdal directly, however, I am hoping people with similar
> setups can clear a few questions for me.
> When a user request comes in to a linux-ha load balancer, for say
> 'imap' or 'pop', and the authentication mechinism used is GSSAPI,
> the load balancer redirects the request to an internal server. As
> an example, our organization has 2 mail servers which are sitting
> behind linux-ha. Clients connect to the hostname '
> mail.domain.com', which reverses back to the IP
> The actual target server IPS are and, with
> the hostnames node5.domain.com and node6.domain.com. The keytabs
> exported for the mail service hence house the service principals
> imap/node5.domain.com (and so on).
> When a reverse look-up is done on the IP, the result is a mismatch
> on the hostname. I've had a few discussions where I have been
> informed that one approach to a resolve is to have the service scan
> through all keytab entries. This would in turn require
> modifications to say the imap/pop authentication service. As an
> example, one of the authors of Stanford's Webauth sent me a patch
> which does this for apache's kerberos module.
> Is this the correct approach? Should our services ensure that all
> keytab entries for the relevant service are scanned before
> rejecting authentication?
> I appreciate any feedback or hits on the head with a clue stick here.
> Regards,
> --
> Mustafa A. Hashmi
> mahashmi@gmail.com

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu