[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos and Load balancing

We already have a working Kerberos realm (which is 5 years old and has been working fab) but we are in a upgrade mode and we would like to replace our software lb with hardware lb. Does anyone have any actual experience with this? There were problems with the lvs and Kerberos translation which broke the usability of the system and the lbnamed solved that problem. I am not  worried about the overloading of the systems it is for fault tolerance that I want to know about this stuff.
>>> bacchi@rpi.edu 1/31/08 2:22:36 PM >>>
I agree with Henry that it's hard to overload a modern server.  I'm
doing over 1 million hits per day on my primary kdc and not having any
recurring problems.

You could simply create two versions of your krb5.conf file each with a
different primary kdc
kdc = server1
kdc = server2


kdc = server2
kdc = server1

Then split the distribution to your clients.

Henry B. Hotz wrote:
> It's not worth it.
> It's pretty hard to imagine a load that a single, modern server can't
> handle nicely.  You should run multiple servers for redundancy and
> reliability, not performance.  I'm running 7 servers, but that's due
> entirely to disaster recovery, firewall, and network topology *NOT*
> performance.
> A single 5-year-old Sun could handle at least twice our total load for
> the entire service.  I say that because our test framework poops out at
> that level, not because it couldn't do more than that.  That's somewhere
> well over 25 authentications/second.
> Running Kerberos through a load balancer may confuse the name resolution
> code and break a lot of things.  There may be workarounds for these
> issues, but honestly I don't think it's worth the effort unless you know
> you need to.
> I trust you have multiple entries in your krb5.conf files and you're not
> depending entirely on LB or RRDNS.  In my experience that's better
> failover than a front end because a front end would need to see some
> actual failures before it can adjust.  Use CNAME entries for your KDC's
> so you can replace servers easily without changing the krb5.conf.
> On Jan 31, 2008, at 9:37 AM, Annelise Stighall wrote:
>> Hi All,
>> Does anyone of you have any experience with Kerberos and hardware load
>> balancing ? We are currently running our Kerberos realm using lbnamed
>> for DNS round robin lb but we would like to move to a hardware based
>> load balancer to speed things up and also to load balance many other
>> of our services that currently are running in a lvs  environment.
>> Opinions ? Thoughts ? Ideas ?
>> Thanks!
> ------------------------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

veritatis simplex oratio est

Andrew Bacchi
Systems Programmer
Information Technologies Infrastructure
Rensselaer Polytechnic Institute
phone: 518.276.6415  fax: 518.276.2809