My basic objection to a load balancer is that Kerberos was designed to
do its own failover without one.
Kerberos was also originally designed to require FQDN's to uniquely map
to the destination IP numbers. Violations of those assumptions
deserved to fail because they might indicate some at
On Wed, 6 Oct 2004 19:21:19 + (UTC) [EMAIL PROTECTED] (Gary LaVoy) wrote:
The load balancer is simply another failure point.
>>>
>>> As is everything else.
>>
>> However load balancers are complicated devices and more prone to
>> failure.
>
> WHOA! - Yes load balancers can be complicated i
On Wed, 6 Oct 2004 19:31:19 + (UTC) [EMAIL PROTECTED] (Jason T Hardy) wrote:
> I guess the problem that everyone is having with our deployment is the
> term load-balancer. We don't actually want to easy the load off of our
...
Good, because:
> You'll say that DNS is the answer. I would agree
>I guess the problem that everyone is having with our deployment is the
>term load-balancer. We don't actually want to easy the load off of our
>KDC's, we just want provide a seamless way of ensuring availability in
>the event that we lose one (or more) of them. I think it's true for
>everyone who'
On Wed, 2004-10-06 at 12:52, Sam Hartman wrote:
> > "Jason" == Jason T Hardy <[EMAIL PROTECTED]> writes:
>
> Jason> Sam, Actually, a load balancer simplifies client deployment
> Jason> in our case (we can't utilize DNS load balancing on our
> Jason> campus). We can, with a load bal
The load balancer is simply another failure point.
As is everything else.
However load balancers are complicated devices and more prone to
failure.
WHOA! - Yes load balancers can be complicated if you want to use all
the features, but "prone to failure"?? where do you get that from?
We have hund
On Wed, 6 Oct 2004 12:54:27 + (UTC) [EMAIL PROTECTED] (Jason T Hardy) wrote:
> I can't modify DNS.
Ah, well then that's a crazy restriction (since as a sysadmin, one
with a load balancer at your disposal, you can almost certainly spoof
DNS and make it do what you want anyway. I doubt you use
Jason can correct me if I'm wrong, but the internal politics here would not allow us
to do this. I'm not 100% sure, however.
-Original Message-
From: [EMAIL PROTECTED] on behalf of Ken Hornstein
Sent: Wed 10/6/2004 12:41 PM
To: [EMAIL PROTECTED]
Subject: Re: Kerberos b
> "Jason" == Jason T Hardy <[EMAIL PROTECTED]> writes:
Jason> Sam, Actually, a load balancer simplifies client deployment
Jason> in our case (we can't utilize DNS load balancing on our
Jason> campus). We can, with a load balancer, have all of the
Jason> KDC's share one hostname
ssage-
From: [EMAIL PROTECTED] on behalf of Tillman Hodgson
Sent: Wed 10/6/2004 12:15 PM
To: [EMAIL PROTECTED]
Subject: Re: Kerberos behind load balancer?
On Wed, Oct 06, 2004 at 12:07:23PM -0500, Kasundra, Digant wrote:
> I agree that the load is not an issue. But with out DNS round-ro
>How do you list both in DNS? Are you implying that in DNS you only have
>(for instance) kerb1.mit.edu and kerb2.mit.edu and list both machines as
>KDCs in the krb5.conf. If so, the app then randomly picks a KDC and
>tries that and if that fails, it rolls over to the next? You then build
>that f
t this done and bound by other politics to not
do it the way everyone else is.
-- DK
-Original Message-
From: [EMAIL PROTECTED] on behalf of Ken Hornstein
Sent: Wed 10/6/2004 12:14 PM
To: [EMAIL PROTECTED]
Subject: Re: Kerberos behind load balancer?
>If we could modify DNS to do D
Anycast looks promising.
-Original Message-
From: [EMAIL PROTECTED] on behalf of Tillman Hodgson
Sent: Wed 10/6/2004 12:15 PM
To: [EMAIL PROTECTED]
Subject: Re: Kerberos behind load balancer?
On Wed, Oct 06, 2004 at 12:07:23PM -0500, Kasundra, Digant wrote:
>> I agree that th
>If we could modify DNS to do DNS round-robin, we too would be okay. But
>we can't.
This is the part I don't understand. _WHY_ do you think you need
this? I've literally run 6 years with a very simple setup: two KDCs,
each one listed in DNS and our krb5.conf. On the rare occasions we
lose a ma
On Wed, Oct 06, 2004 at 12:07:23PM -0500, Kasundra, Digant wrote:
> I agree that the load is not an issue. But with out DNS round-robin,
> and without the load-balancer, we'd have to arbitrarily point our
> systems and services at one of the slaves. If that slave goes down,
> we'd have to scrambl
-
From: [EMAIL PROTECTED] on behalf of Tillman Hodgson
Sent: Wed 10/6/2004 11:46 AM
To: [EMAIL PROTECTED]
Subject: Re: Kerberos behind load balancer?
On Wed, Oct 06, 2004 at 09:59:06AM -0400, Ken Hornstein wrote:
> And let me echo the comments of others: we've run our Kerberos serve
> And let me echo the comments of others: we've run our Kerberos servers on
> the oldest, crappiest hardware we've had kicking around the dustbin (we
> upgrade it occasionally, but it's always to the latest "crappiest" system
> we've got laying around). I seriously doubt you're going to need a loa
On Wed, Oct 06, 2004 at 09:59:06AM -0400, Ken Hornstein wrote:
> And let me echo the comments of others: we've run our Kerberos servers on
> the oldest, crappiest hardware we've had kicking around the dustbin (we
> upgrade it occasionally, but it's always to the latest "crappiest" system
> we've go
>> Isn't that broken? You can't load balance the admin server because
>> MIT isn't multi-master. For DR it's just as easy to bring up a new
>> server with the old server's IP.
>
>No, it's not broken. The kadmin server that's active responds to the
>request. If my admin server goes down I can "pro
On Wed, 2004-10-06 at 00:23, Frank Cusack wrote:
> > balancer, have all of the KDC's share one hostname. Our kadmin server
> > can also share that hostname.
> >
> > kerberos:88 -> points to our KDC's
> > kerberos:749 -> point to our admin server
>
> Isn't that broken? You can't load balance the
On Tue, 2004-10-05 at 23:03, Ken Raeburn wrote:
> I think there are better solutions to that. (1) Create a DNS name
> which points to multiple addresses; typically the nameserver will
> change the order randomly, which will effect some load balancing. (2)
> Use DNS SRV records to return the na
On Wed, 6 Oct 2004 03:59:35 + (UTC) [EMAIL PROTECTED] (Jason T Hardy) wrote:
> Sam,
>
> Actually, a load balancer simplifies client deployment in our case (we
> can't utilize DNS load balancing on our campus). We can, with a load
Don't need DNS load balancing (and it's broken anyway).
> balan
On Oct 5, 2004, at 23:15, Jason T Hardy wrote:
Sam,
Actually, a load balancer simplifies client deployment in our case (we
can't utilize DNS load balancing on our campus). We can, with a load
balancer, have all of the KDC's share one hostname. Our kadmin server
can also share that hostname.
kerber
Sam,
Actually, a load balancer simplifies client deployment in our case (we
can't utilize DNS load balancing on our campus). We can, with a load
balancer, have all of the KDC's share one hostname. Our kadmin server
can also share that hostname.
kerberos:88 -> points to our KDC's
kerberos:749 ->
Sticking your KDC behind a load balancer seems like a singularly bad
idea. It's going to introduce a lot of complexity for no real
benefit.
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
Hello folks,
We just bought ourselves a nifty little NetScaler load balancing router.
But we can't seem to make it work with Kerberos. I believe we're
supposed to setup the balancer to forward on the source IP and add a
loopback address (not sure how) that listens to the same virtual IP and
resp
26 matches
Mail list logo
