Hi,
Just wondering if anyone can tell me if it's possible or reasonable to put
multiple kdc's behind a F5 BigIP for load balance purposes? We have tried a
simple configuration with port 88 UDP but it seems to causes some issues with
the kdc's. Getting a TGT with kinit seems to work just fine but using an
application (e.g. nfs) the TGS seems to fail. It would be nice to use the F5
load balancer since we have to use krb5.conf deploying it on Thousands of
systems.
KDC issue in log file:
tail -f /var/log/krb5kdc.log
krb5kdc: Invalid message type - while dispatching (udp)
krb5kdc: Invalid message type - while dispatching (udp)
krb5kdc: Invalid message type - while dispatching (udp)
krb5kdc: Invalid message type - while dispatching (udp)
We suspect this is the F5 probe to determine if port 88 is alive?
When trying to access a Kerberos nfs mount point the kinit works but the TGS
seems to fail. Briefly looking at a packet trace of the failure shows as the
last packet received from the F5:
KRB ERROR: KRB5KRB_AP_ERR_BADADDR
Any information on load balancing kdc's with a F5 would be highly appreciated.
Thanks,
Kevin
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
