Stefan Kania <ste...@kania-online.de> writes: > we have 4 ldap-provider ldap1.example.net to ldap4.example.net. We > securing the replication via kerberos, everything works fine between the > providers. But now we want to set up some consumers. Between the > providers and the consumers a loadbalancer is located, so the consumers > only connect to the loadbalancer and the loadbalancer chooses one of the > providers. For the replication we put the fqdn from the loadbalancer > into the configuration. The fqdn is ldap.example.net. We then created a > host-principal and a service-principal for ldap.example.net and we put > the host-key into /etc/krb5.keytab of all ldap-providers the same with > the service-key. So now all provider can use both, the own keys and the > keys from the loadbalancer. But it's not working :-(.
Two things to check: First, how did you put the service kep for ldap/ldap.example.net onto each host? If you used ktadd via kadmin, you alas did not do that. Each time you downloaded the keytab entry, ktadd randomized the key again, so only the last host on which you put the key has a correct key and all of the rest have incorrect keys. You have to either manually copy the keytab file between hosts without running ktadd again, or somehow use -norandkey to generate the keytab entry. If that's not the problem, it used to be that you had to apply a one-line patch to Cyrus SASL to prevent it from forcing Kerberos to only use the keytab entry that it thought corresponded to the local hostname, which otherwise would prevent this trick from working. I thought Cyrus SASL upstream had finally taken that patch and included it in a release, but maybe you're using an old version of Cyrus SASL? I don't remember what error message that used to produce, though, so maybe this is a different problem. -- Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
