I agree that the load is not an issue. But with out DNS round-robin, and without the load-balancer, we'd have to arbitrarily point our systems and services at one of the slaves. If that slave goes down, we'd have to scramble to see who all was pointing to it and change them to point to the other place.
DNS round-robin would be best, but some options for those of us with our hands-tied would be nice. I think we may have a working solution although we are still testing it, and it did require a code patch to allow listening to the loopback. -- DK -----Original Message----- From: [EMAIL PROTECTED] on behalf of Tillman Hodgson Sent: Wed 10/6/2004 11:46 AM To: [EMAIL PROTECTED] Subject: Re: Kerberos behind load balancer? On Wed, Oct 06, 2004 at 09:59:06AM -0400, Ken Hornstein wrote: > And let me echo the comments of others: we've run our Kerberos servers on > the oldest, crappiest hardware we've had kicking around the dustbin (we > upgrade it occasionally, but it's always to the latest "crappiest" system > we've got laying around). I seriously doubt you're going to need a load > balancer. And if you don't need it, I can't see it causing you anything > but trouble in the long run. I can echo that sentiment as well. When I first starting looking into Kerberos I was concerned about client load on the KDC. This post (from 1993) put my fears to rest: http://groups.google.ca/groups?hl=en&lr=&th=f5ea1615382bdfcc&rnum=2 I can indeed confirm that a DECStation 5000/25 (with a 25MHz MIPS R3000 CPU and a 10MBit AUI ethernet port) can handle whatever I could throw at it, including authentication for a website (via apache mod_auth_kerb) that did not cache tickets, without showing any real load that I could measure. It was _idling_. I'm now running it on a SparcStation 10, simply because I don't have the DECStation any more and the old Sun box is the oldest crappiest hardware I have left where I still trust the hard drive (a relatively modern Seagate replacement, in this case). Older RISC hardware also tends to have real serial consoles, which is Good Thing on a KDC that doesn't allow network logins :-) If I /was/ going to load balance a KDC in some form, I'd do it not to shift load as in CPU-load but rather to optimize latency for wide-area links. Anycast would be the method I'd use. -T -- "If you already know what recursion is, just remember the answer. Otherwise, find someone who is standing closer to Douglas Hofstadter than you are; then ask him or her what recursion is." -- Andrew "Zarf" Plotkin ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos