[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos and Load balancing

I agree with Henry that it's hard to overload a modern server.  I'm 
doing over 1 million hits per day on my primary kdc and not having any 
recurring problems.

You could simply create two versions of your krb5.conf file each with a 
different primary kdc
kdc = server1
kdc = server2


kdc = server2
kdc = server1

Then split the distribution to your clients.

Henry B. Hotz wrote:
> It's not worth it.
> It's pretty hard to imagine a load that a single, modern server can't 
> handle nicely.  You should run multiple servers for redundancy and 
> reliability, not performance.  I'm running 7 servers, but that's due 
> entirely to disaster recovery, firewall, and network topology *NOT* 
> performance.
> A single 5-year-old Sun could handle at least twice our total load for 
> the entire service.  I say that because our test framework poops out at 
> that level, not because it couldn't do more than that.  That's somewhere 
> well over 25 authentications/second.
> Running Kerberos through a load balancer may confuse the name resolution 
> code and break a lot of things.  There may be workarounds for these 
> issues, but honestly I don't think it's worth the effort unless you know 
> you need to.
> I trust you have multiple entries in your krb5.conf files and you're not 
> depending entirely on LB or RRDNS.  In my experience that's better 
> failover than a front end because a front end would need to see some 
> actual failures before it can adjust.  Use CNAME entries for your KDC's 
> so you can replace servers easily without changing the krb5.conf.
> On Jan 31, 2008, at 9:37 AM, Annelise Stighall wrote:
>> Hi All,
>> Does anyone of you have any experience with Kerberos and hardware load 
>> balancing ? We are currently running our Kerberos realm using lbnamed 
>> for DNS round robin lb but we would like to move to a hardware based 
>> load balancer to speed things up and also to load balance many other 
>> of our services that currently are running in a lvs  environment. 
>> Opinions ? Thoughts ? Ideas ?
>> Thanks!
> ------------------------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

veritatis simplex oratio est

Andrew Bacchi
Systems Programmer
Information Technologies Infrastructure
Rensselaer Polytechnic Institute
phone: 518.276.6415  fax: 518.276.2809