Hi to all, we have 4 ldap-provider ldap1.example.net to ldap4.example.net. We securing the replication via kerberos, everything works fine between the providers. But now we want to set up some consumers. Between the providers and the consumers a loadbalancer is located, so the consumers only connect to the loadbalancer and the loadbalancer chooses one of the providers. For the replication we put the fqdn from the loadbalancer into the configuration. The fqdn is ldap.example.net. We then created a host-principal and a service-principal for ldap.example.net and we put the host-key into /etc/krb5.keytab of all ldap-providers the same with the service-key. So now all provider can use both, the own keys and the keys from the loadbalancer. But it's not working :-(. In the log of the provider we see that the consumer connects. ldaps is working. But kerberos failed with the following messages: -------------------- SASL [conn=5032] Failure: GSSAPI Error: Miscellaneous failure (see text) (Decrypt integrity check failed for checksum type hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96)
slapd[59382]: conn=5032 op=0 RESULT tag=97 err=49 qtime=0.000028 etime=0.017274 text=SASL(-13): authentication failure: GSSAPI Failure: gss_accept_sec_context -------------------- The same user we are using works without using the loadbalancer. If our solution is wrong, what would be the right way to use a loadbalancer together with kerberos? Stefan
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
