[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos and Load balancing

To: heimdal-discuss@sics.se, "Annelise Stighall" <astighal@kennesaw.edu>
Subject: Re: Kerberos and Load balancing
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Thu, 31 Jan 2008 10:37:57 -0800
In-Reply-To: <s7a1c12d.064@greatowl.kennesaw.edu>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <s7a1c12d.064@greatowl.kennesaw.edu>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>

It's not worth it.

It's pretty hard to imagine a load that a single, modern server can't  
handle nicely.  You should run multiple servers for redundancy and  
reliability, not performance.  I'm running 7 servers, but that's due  
entirely to disaster recovery, firewall, and network topology *NOT*  
performance.

A single 5-year-old Sun could handle at least twice our total load  
for the entire service.  I say that because our test framework poops  
out at that level, not because it couldn't do more than that.  That's  
somewhere well over 25 authentications/second.

Running Kerberos through a load balancer may confuse the name  
resolution code and break a lot of things.  There may be workarounds  
for these issues, but honestly I don't think it's worth the effort  
unless you know you need to.

I trust you have multiple entries in your krb5.conf files and you're  
not depending entirely on LB or RRDNS.  In my experience that's  
better failover than a front end because a front end would need to  
see some actual failures before it can adjust.  Use CNAME entries for  
your KDC's so you can replace servers easily without changing the  
krb5.conf.

On Jan 31, 2008, at 9:37 AM, Annelise Stighall wrote:

> Hi All,
>
> Does anyone of you have any experience with Kerberos and hardware  
> load balancing ? We are currently running our Kerberos realm using  
> lbnamed for DNS round robin lb but we would like to move to a  
> hardware based load balancer to speed things up and also to load  
> balance many other of our services that currently are running in a  
> lvs  environment. Opinions ? Thoughts ? Ideas ?
>
> Thanks!

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

Follow-Ups:
- Re: Kerberos and Load balancing
  - From: Andrew Bacchi <bacchi@rpi.edu>

References:
- Kerberos and Load balancing
  - From: "Annelise Stighall" <astighal@kennesaw.edu>

Prev by Date: Re: Questions about LDAP, Heimdal and 2003 Server
Next by Date: Re: Kerberos and Load balancing
Prev by thread: Kerberos and Load balancing
Next by thread: Re: Kerberos and Load balancing
Index(es):
- Date
- Thread