[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Kerberos and Load balancing

To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>
Subject: Re: Kerberos and Load balancing
From: Andrew Bacchi <bacchi@rpi.edu>
Date: Thu, 31 Jan 2008 14:22:36 -0500
In-Reply-To: <E2FAF7BC-1883-4BDF-923A-7B3E8F124B6C@jpl.nasa.gov>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <s7a1c12d.064@greatowl.kennesaw.edu> <E2FAF7BC-1883-4BDF-923A-7B3E8F124B6C@jpl.nasa.gov>
Reply-To: heimdal-discuss@sics.se, Andrew Bacchi <bacchi@rpi.edu>
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)

I agree with Henry that it's hard to overload a modern server.  I'm 
doing over 1 million hits per day on my primary kdc and not having any 
recurring problems.

You could simply create two versions of your krb5.conf file each with a 
different primary kdc
kdc = server1
kdc = server2

-------------------

kdc = server2
kdc = server1

Then split the distribution to your clients.

Henry B. Hotz wrote:
> It's not worth it.
> 
> It's pretty hard to imagine a load that a single, modern server can't 
> handle nicely.  You should run multiple servers for redundancy and 
> reliability, not performance.  I'm running 7 servers, but that's due 
> entirely to disaster recovery, firewall, and network topology *NOT* 
> performance.
> 
> A single 5-year-old Sun could handle at least twice our total load for 
> the entire service.  I say that because our test framework poops out at 
> that level, not because it couldn't do more than that.  That's somewhere 
> well over 25 authentications/second.
> 
> Running Kerberos through a load balancer may confuse the name resolution 
> code and break a lot of things.  There may be workarounds for these 
> issues, but honestly I don't think it's worth the effort unless you know 
> you need to.
> 
> I trust you have multiple entries in your krb5.conf files and you're not 
> depending entirely on LB or RRDNS.  In my experience that's better 
> failover than a front end because a front end would need to see some 
> actual failures before it can adjust.  Use CNAME entries for your KDC's 
> so you can replace servers easily without changing the krb5.conf.
> 
> On Jan 31, 2008, at 9:37 AM, Annelise Stighall wrote:
> 
>> Hi All,
>>
>> Does anyone of you have any experience with Kerberos and hardware load 
>> balancing ? We are currently running our Kerberos realm using lbnamed 
>> for DNS round robin lb but we would like to move to a hardware based 
>> load balancer to speed things up and also to load balance many other 
>> of our services that currently are running in a lvs  environment. 
>> Opinions ? Thoughts ? Ideas ?
>>
>> Thanks!
> 
> ------------------------------------------------------------------------
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
> 
> 
> 

-- 
veritatis simplex oratio est
		-Seneca

Andrew Bacchi
Systems Programmer
Information Technologies Infrastructure
Rensselaer Polytechnic Institute
phone: 518.276.6415  fax: 518.276.2809

http://www.rpi.edu/~bacchi/

Follow-Ups:
- Re: Kerberos and Load balancing
  - From: Ken Raeburn <raeburn@MIT.EDU>

References:
- Kerberos and Load balancing
  - From: "Annelise Stighall" <astighal@kennesaw.edu>
- Re: Kerberos and Load balancing
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Re: Kerberos and Load balancing
Next by Date: Re: Kerberos and Load balancing
Prev by thread: Re: Kerberos and Load balancing
Next by thread: Re: Kerberos and Load balancing
Index(es):
- Date
- Thread