[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos and Load balancing

It's not worth it.

It's pretty hard to imagine a load that a single, modern server can't  
handle nicely.  You should run multiple servers for redundancy and  
reliability, not performance.  I'm running 7 servers, but that's due  
entirely to disaster recovery, firewall, and network topology *NOT*  

A single 5-year-old Sun could handle at least twice our total load  
for the entire service.  I say that because our test framework poops  
out at that level, not because it couldn't do more than that.  That's  
somewhere well over 25 authentications/second.

Running Kerberos through a load balancer may confuse the name  
resolution code and break a lot of things.  There may be workarounds  
for these issues, but honestly I don't think it's worth the effort  
unless you know you need to.

I trust you have multiple entries in your krb5.conf files and you're  
not depending entirely on LB or RRDNS.  In my experience that's  
better failover than a front end because a front end would need to  
see some actual failures before it can adjust.  Use CNAME entries for  
your KDC's so you can replace servers easily without changing the  

On Jan 31, 2008, at 9:37 AM, Annelise Stighall wrote:

> Hi All,
> Does anyone of you have any experience with Kerberos and hardware  
> load balancing ? We are currently running our Kerberos realm using  
> lbnamed for DNS round robin lb but we would like to move to a  
> hardware based load balancer to speed things up and also to load  
> balance many other of our services that currently are running in a  
> lvs  environment. Opinions ? Thoughts ? Ideas ?
> Thanks!

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu