[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos authentication and High availability

To: "Mustafa A. Hashmi" <mahashmi@gmail.com>
Subject: Re: Kerberos authentication and High availability
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Wed, 4 Apr 2007 10:45:02 -0700
Cc: heimdal-discuss@sics.se
In-Reply-To: <5f636a2f0704040415y501fa77dm6d2eb3e7cdbad622@mail.gmail.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <5f636a2f0703140059h3d299f70t5611d817439f0bc7@mail.gmail.com> <B181F8F0-7694-4E86-B2F3-B67B90A19095@jpl.nasa.gov> <5f636a2f0704030148u7d0c7b5awf325dbf450e48595@mail.gmail.com> <8FA0527C-3ACA-4A8E-8D2B-D3AA67B3C352@jpl.nasa.gov> <5f636a2f0704040415y501fa77dm6d2eb3e7cdbad622@mail.gmail.com>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>


On Apr 4, 2007, at 4:15 AM, Mustafa A. Hashmi wrote:

> On 4/3/07, Henry B. Hotz <hotz@jpl.nasa.gov> wrote:
>
> On Apr 3, 2007, at 1:48 AM, Mustafa A. Hashmi wrote:
>
> > Thanks for your e-mail. Please see some comments in-line.
> >
> > On 4/3/07, Henry B. Hotz < hotz@jpl.nasa.gov > wrote:The client is
> > going to get a service ticket for the load balancer.
> > Probably no choice.  That's a good argument for not using load
> > balancers, IMO.  Instead clients should have a standard list of
> > CNAMEs to try.
> >
> > Well it's not just load balancing, it's high availability which is
> > also very important. Ensuring transparent fail-overs is paramount.
>
> Define "transparent".  ;-)
>
> With minimal user disruption. I am not sure how familiar you are  
> with the linux-ha project, however, smtp / pop / imap / web (other)  
> services are maintained in a HA pool where the monitors themselves  
> are redundant. It's quite configurable, so depending on how much  
> network noise you want to generate, these systems can check  
> services in defined intervals to keep the active HA pool quite  
> current.
>
> What I'm talking about requires that the client be programmed to do
> it (which they may not be).  I'm thinking specifically of what
> Kerberos itself does:  it has a list of KDCs.  If the first one
> doesn't respond within a second, you try the second, etc.  Most
> clients don't notice the difference.
>
> Sure, but the clients here range from web browsers to e-mail  
> clients to xyz written by abc using saslauthd. Certainly coming up  
> with client based solutions doesn't work at this point. It also  
> takes HA out of the picture --  the client is going directly to  
> defined service targets.
>
> Don't get me wrong, I think it's a very elegant and clean solution  
> -- just not feasible given immediate needs and deployments.

We're in "violent agreement".

> It's certainly convenient if you can shuffle servers around for
> maintenance without having to play with DNS to do it.  My grumpiness
> comes from the annoyance of dealing with all the naming issues you're
> asking about.
>
> Understandable -- am not happy with this either.
>
> > That means the service must be configured to accept tickets for the
> > load balancer's name.  For SASL-based services there is probably a
> > hostname config parameter somewhere that you need to set to the load
> > balancer name instead of the real local hostname.  This seems to  
> work
> > for LDAP servers.
> >
> > Actually the kerberos FAQ greatly helped as it addresses problems
> > of this nature. I know this solution will probably be frowned upon,
> > however, I simply set ptr records for multiple mail server IPs to
> > resolve to mail.domain.com.
>
> There's a move afoot to have Kerberos just take the server name at
> face value and not do any DNS translation.  When you start getting
> clients that work this way this solution may break.  They also want
> to do name canonicalization in the KDC, so that may solve the problem
> for you, depending on what gets deployed in what order.
>
> Interesting. Why would the former solution break when we get  
> clients that have a list of service targets to try?

The "list of targets" scenario was my ideal.  This piece is: how do  
you deal with the non-ideal clients that are dependent on an Edge/ 
load balancer/HA front end.

I think your PTR record solution is nice.  I wish my own situation  
was that simply resolved.  I'm just trying to point out some areas  
where it might break in the future (with non-ideal clients).

> Canonicalization may indeed work best in our case -- but I wonder  
> how different needs get in such scenarios. Don't we all face  
> similar issues?
> --
> Mustafa A. Hashmi
> mahashmi@gmail.com

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

References:
- Re: Kerberos authentication and High availability
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: Kerberos authentication and High availability
  - From: "Mustafa A. Hashmi" <mahashmi@gmail.com>
- Re: Kerberos authentication and High availability
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- Re: Kerberos authentication and High availability
  - From: "Mustafa A. Hashmi" <mahashmi@gmail.com>

Prev by Date: Re: Kerberos authentication and High availability
Next by Date: Respectfully submitted { Mr Bo Xilai }
Prev by thread: Re: Kerberos authentication and High availability
Next by thread: Final Notification
Index(es):
- Date
- Thread