[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos authentication and High availability




On Apr 3, 2007, at 1:48 AM, Mustafa A. Hashmi wrote:

> Thanks for your e-mail. Please see some comments in-line.
>
> On 4/3/07, Henry B. Hotz <hotz@jpl.nasa.gov> wrote:The client is  
> going to get a service ticket for the load balancer.
> Probably no choice.  That's a good argument for not using load
> balancers, IMO.  Instead clients should have a standard list of
> CNAMEs to try.
>
> Well it's not just load balancing, it's high availability which is  
> also very important. Ensuring transparent fail-overs is paramount.

Define "transparent".  ;-)

What I'm talking about requires that the client be programmed to do  
it (which they may not be).  I'm thinking specifically of what  
Kerberos itself does:  it has a list of KDCs.  If the first one  
doesn't respond within a second, you try the second, etc.  Most  
clients don't notice the difference.

It's certainly convenient if you can shuffle servers around for  
maintenance without having to play with DNS to do it.  My grumpiness  
comes from the annoyance of dealing with all the naming issues you're  
asking about.

> That means the service must be configured to accept tickets for the
> load balancer's name.  For SASL-based services there is probably a
> hostname config parameter somewhere that you need to set to the load
> balancer name instead of the real local hostname.  This seems to work
> for LDAP servers.
>
> Actually the kerberos FAQ greatly helped as it addresses problems  
> of this nature. I know this solution will probably be frowned upon,  
> however, I simply set ptr records for multiple mail server IPs to  
> resolve to mail.domain.com.

There's a move afoot to have Kerberos just take the server name at  
face value and not do any DNS translation.  When you start getting  
clients that work this way this solution may break.  They also want  
to do name canonicalization in the KDC, so that may solve the problem  
for you, depending on what gets deployed in what order.

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu