Hi list
I am the guy that implemented Kerberos support in Ethereal to allow
users (given the keytab file is available) to decrypt the content of
tickets.
I would like to add support for MIT kerberos as well so that users can
select at compile time which particular version of kerberos they use
On Tue, 2004-10-05 at 23:03, Ken Raeburn wrote:
I think there are better solutions to that. (1) Create a DNS name
which points to multiple addresses; typically the nameserver will
change the order randomly, which will effect some load balancing. (2)
Use DNS SRV records to return the names
On Wed, 2004-10-06 at 00:23, Frank Cusack wrote:
balancer, have all of the KDC's share one hostname. Our kadmin server
can also share that hostname.
kerberos:88 - points to our KDC's
kerberos:749 - point to our admin server
Isn't that broken? You can't load balance the admin server
Isn't that broken? You can't load balance the admin server because
MIT isn't multi-master. For DR it's just as easy to bring up a new
server with the old server's IP.
No, it's not broken. The kadmin server that's active responds to the
request. If my admin server goes down I can promote one
Hi there,
a few days ago, I succeeded in running a SSPI/GSS-API client/server
program between an XP workstation and a Solaris server. The server's
keytab was generated using Windows 'ktpass' tool.
I generated another keytab file using the same tool (with the same
parameters) and installed that
Jacques Lebastard wrote:
Hi there,
a few days ago, I succeeded in running a SSPI/GSS-API client/server
program between an XP workstation and a Solaris server. The server's
keytab was generated using Windows 'ktpass' tool.
Windows 2000 AD did not handle the kvno correctly and always used
1 or 0.
On Wed, Oct 06, 2004 at 09:59:06AM -0400, Ken Hornstein wrote:
And let me echo the comments of others: we've run our Kerberos servers on
the oldest, crappiest hardware we've had kicking around the dustbin (we
upgrade it occasionally, but it's always to the latest crappiest system
we've got
Douglas E. Engert wrote:
Jacques Lebastard wrote:
Hi there,
a few days ago, I succeeded in running a SSPI/GSS-API client/server
program between an XP workstation and a Solaris server. The server's
keytab was generated using Windows 'ktpass' tool.
Windows 2000 AD did not handle the kvno
And let me echo the comments of others: we've run our Kerberos servers on
the oldest, crappiest hardware we've had kicking around the dustbin (we
upgrade it occasionally, but it's always to the latest crappiest system
we've got laying around). I seriously doubt you're going to need a load
I agree that the load is not an issue. But with out DNS round-robin, and without the
load-balancer, we'd have to arbitrarily point our systems and services at one of the
slaves. If that slave goes down, we'd have to scramble to see who all was pointing to
it and change them to point to the
On Wed, Oct 06, 2004 at 12:07:23PM -0500, Kasundra, Digant wrote:
I agree that the load is not an issue. But with out DNS round-robin,
and without the load-balancer, we'd have to arbitrarily point our
systems and services at one of the slaves. If that slave goes down,
we'd have to scramble
If we could modify DNS to do DNS round-robin, we too would be okay. But
we can't.
This is the part I don't understand. _WHY_ do you think you need
this? I've literally run 6 years with a very simple setup: two KDCs,
each one listed in DNS and our krb5.conf. On the rare occasions we
lose a
Anycast looks promising.
-Original Message-
From: [EMAIL PROTECTED] on behalf of Tillman Hodgson
Sent: Wed 10/6/2004 12:15 PM
To: [EMAIL PROTECTED]
Subject: Re: Kerberos behind load balancer?
On Wed, Oct 06, 2004 at 12:07:23PM -0500, Kasundra, Digant wrote:
I agree that the load is
How do you list both in DNS? Are you implying that in DNS you only have (for
instance) kerb1.mit.edu and kerb2.mit.edu and list both machines as KDCs in the
krb5.conf. If so, the app then randomly picks a KDC and tries that and if that fails,
it rolls over to the next? You then build that
How do you list both in DNS? Are you implying that in DNS you only have
(for instance) kerb1.mit.edu and kerb2.mit.edu and list both machines as
KDCs in the krb5.conf. If so, the app then randomly picks a KDC and
tries that and if that fails, it rolls over to the next? You then build
that
I should have added, using anycast might be doable, depending on what kind of network
environment it would need. I'm not familiar with what kind of layout you would want
to make this work. And of course, the same politics might not let us do this
either
-Original Message-
From:
Jason == Jason T Hardy [EMAIL PROTECTED] writes:
Jason Sam, Actually, a load balancer simplifies client deployment
Jason in our case (we can't utilize DNS load balancing on our
Jason campus). We can, with a load balancer, have all of the
Jason KDC's share one hostname. Our kadmin
Jason can correct me if I'm wrong, but the internal politics here would not allow us
to do this. I'm not 100% sure, however.
-Original Message-
From: [EMAIL PROTECTED] on behalf of Ken Hornstein
Sent: Wed 10/6/2004 12:41 PM
To: [EMAIL PROTECTED]
Subject: Re: Kerberos behind load
The load balancer is simply another failure point.
As is everything else.
However load balancers are complicated devices and more prone to
failure.
WHOA! - Yes load balancers can be complicated if you want to use all
the features, but prone to failure?? where do you get that from?
We have
On Wed, 2004-10-06 at 12:52, Sam Hartman wrote:
Jason == Jason T Hardy [EMAIL PROTECTED] writes:
Jason Sam, Actually, a load balancer simplifies client deployment
Jason in our case (we can't utilize DNS load balancing on our
Jason campus). We can, with a load balancer, have all
I guess the problem that everyone is having with our deployment is the
term load-balancer. We don't actually want to easy the load off of our
KDC's, we just want provide a seamless way of ensuring availability in
the event that we lose one (or more) of them. I think it's true for
everyone who's
Jacques,
I ran into a simlar issue with going form Solaris to Windows AD.
ktpass increments the ktnvo every time tyou run it against an account,
and will create your keytab with the ktvno. On our servers the
account created always started with 4. Make sure that your keytab is
the most recent
On Wed, 6 Oct 2004 19:31:19 + (UTC) [EMAIL PROTECTED] (Jason T Hardy) wrote:
I guess the problem that everyone is having with our deployment is the
term load-balancer. We don't actually want to easy the load off of our
...
Good, because:
You'll say that DNS is the answer. I would agree.
On Wed, 6 Oct 2004 19:21:19 + (UTC) [EMAIL PROTECTED] (Gary LaVoy) wrote:
The load balancer is simply another failure point.
As is everything else.
However load balancers are complicated devices and more prone to
failure.
WHOA! - Yes load balancers can be complicated if you want to use
Good evening to everyone.
The Hurderos Project released version 0.1.2 of its Open-Source
enterprise identity, services and authorization management solution on
October 6th, 2004. Source and binaries are available at the following
locations:
Source:
25 matches
Mail list logo
