Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

Evolution is a million line computer program falling into place by accident.


computers / comp.protocols.kerberos / Kerberos through loadbalancer

SubjectAuthor
o Kerberos through loadbalancerStefan Kania

1
Subject: Kerberos through loadbalancer
From: Stefan Kania
Newsgroups: comp.protocols.kerberos
Organization: Stefan Kania
Date: Fri, 20 May 2022 07:41 UTC
References: 1
Attachments: smime.p7s (application/pkcs7-signature)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ste...@kania-online.de (Stefan Kania)
Newsgroups: comp.protocols.kerberos
Subject: Kerberos through loadbalancer
Date: Fri, 20 May 2022 09:41:20 +0200
Organization: Stefan Kania
Lines: 98
Message-ID: <mailman.68.1653032493.8148.kerberos@mit.edu>
References: <8bca181e-086d-2fb1-037a-0975962a9be9@kania-online.de>
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha-256; boundary="------------ms030609020100050707040805"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="20838"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: <kerberos@mit.edu>
Authentication-Results: mit.edu; dmarc=none (p=none dis=none)
header.from=kania-online.de
Authentication-Results: mit.edu; arc=fail
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1653032490; cv=fail;
b=AUZ31qVnLDHQ3JHzYQfEhIN4D7n911Om0gKnBDOZ1/zEyqcoFpWZUVWixTADMfNmGg6X0DoVbZ6MHs33HXeuSI2m+3gLAxtr0YjqBWEW3rVIztOIpfoNSdo9Jtwgzo8QLo85CxJ+r8h8m1MePKIqHYK3Z+pIiDpIJvAtYVZn7ja9JYelzTmeZQLOd8YH7uHuQoh6yGbt5HQUAGHSUI/zfaGVinv2b3wSfHcMYiQjGhhXGHPTD+XdM6+/0hYAMzFEyl7ZAsE4Q0w07+o6r/UYax8ZjUpGWp1ugVqwAHw6ghtzJd2C0g34PbmDLDSYLDgEHrOhPCdQFDgU17B+AVxaFQ==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1653032490;
c=relaxed/relaxed; bh=gC27ipxqGEqENc4e+zb1btZ1/AHxDHNC0dp2957Yetw=;
h=Message-ID:Date:MIME-Version:From:Subject:Content-Type;
b=l78ldcXCu4fX65EXylm3fizaUxEkt3seLFtR7D9n5xJjvGcc5qlyw4Uinotb7I792vmePgBgsyYFn9LMCcMVvSg8A7PFEmYfieGgvTPX7mb4JTqBwe4CmLDZFwk3lcx2yt/+7YJ1uj2NKYocb1ZMum41c+uvfuHxd3lIOEEFzDo8kR7Nj1feBFCFvxKcMeDUwdrq4I8cm1fwqowIc/aHFNpGMcVRrIMc4V3L5vcumqVic+MY8YfaPSNrJY8vBISKyMWAu101cgyWjfK5BAxCROa016vqWs+ARPIt1bk/uu4I6DAAyDyn7XC7gCvCNBaEDaBgh1h3RKQEVumm1ytEyA==
ARC-Authentication-Results: i=2; mit.edu; dkim=fail (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=rhSRaojC reason="signature verification failed"; arc=fail
Authentication-Results: mit.edu;
dkim=fail reason="signature verification failed" (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=rhSRaojC
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=a2NmI4MtiusHNrsxvlye/toTk7Pr+RcJ6V0X4s3ArYCc9Z2HAD7xmW2szaFiRQEAegv8r/6N0eoV3/iXmZACx+hrf4VyrSon6mecXX42JZoUaK90Rj+LLkeDbzB36gXbux94zcCe8e8ggjTDOz8AxdcxdoPDY/YegCZV49kvtdpQu95iEtjsot4JzTsdAD2Uop2LuLO9PtiXN0+RsUbTzsbRFnVbYPBTGsWqB004eMuO16MGyOYeNY1Vz2ecJJHzVWcj5JXp4epm8g+RezW+8fdFXdzXz1giKyiygeyxyhph3CJmV7+jFxDS9XMp5W87NlnbHG4mbsj3I0zaVvSzYA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=rZJBuHWGJ/m2UF1+fg5Eh4+nQUXl0O9nPRBrQpWJMS8=;
b=J19npoQwZC6vDxDnyu8s6H7I6CrkJtLhEQ+vg9Oqc7lv1nutXgOSMcTk5l6ySIMdVz6QLWjVtL6hyNHLSjLofHYTrMHDNp826fysw1gogNMizCbZeh++G5psEvmEbqEJAQ+6piA9uvTfN2hrI5LEfVSKLJdUM07pChLmyXCEXKa+xMgisZ6JZhMZ5XpzNASxdv0pf/eMLRNN3Kzjrs3CND7ETWxts+QJmjthRjNYdctW0iiyldRUOZu7seFvVeV4MtPd+W6zeLqJ8tgs1U1GH0cRady2b/5pWkk2qAREVUVVQeRS15UJLReTK7FX956ioPLg01cZQIGiWpGpdHL6bw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
80.241.58.36) smtp.rcpttodomain=mit.edu smtp.mailfrom=kania-online.de;
dmarc=bestguesspass action=none header.from=kania-online.de; dkim=none
(message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=rZJBuHWGJ/m2UF1+fg5Eh4+nQUXl0O9nPRBrQpWJMS8=;
b=rhSRaojCJkf/AxSmW4txZEhNqhR0ule+8UwWVSb3UV7duWcjVeB2gEPk3G1tdfvrw3qaRvm75Ek91oTvsfWJwgBloLCwlPzcAoYdek6IZP9wQylVXTzqgPmMnoz7xaN6Uq9/65e6vqD8PQiug/VaJn2OoZoOJwAzm+C+CRhvTnk=
Authentication-Results: spf=pass (sender IP is 80.241.58.36)
smtp.mailfrom=kania-online.de; dkim=none (message not signed)
header.d=none;dmarc=bestguesspass action=none header.from=kania-online.de;
Received-SPF: Pass (protection.outlook.com: domain of kania-online.de
designates 80.241.58.36 as permitted sender) receiver=protection.outlook.com;
client-ip=80.241.58.36; helo=plasma5.jpberlin.de; pr=C
Content-Language: en-US
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 7ad95cf5-16da-492a-76f5-08da3a342587
X-MS-TrafficTypeDiagnostic: BYAPR01MB3957:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <BYAPR01MB39572765C6D1B7726497B2DC90D39@BYAPR01MB3957.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: RPvhvFGjEVKb6REp6BfT4uSwbL2Q5j7bWGAW/frkitsj1EpJvILxfzdMXcQS3OCS4auoVkRdosyCby/CtDKJMbBtZsTtS9ToQDgH5aXEVgaR0aKMBFa0ck9Q6xvgaXaIqvui7j7Cw4vNkzC5O0WR6C0OulKrwDeh4OoMiMGW/A8AvFK4LcYRdvS5LWQSaCh1sTkoMTgl+9EuGcx3igvAJJiWzITr6m5zhCp5ZmmRVDCsVmTCpsCQ6TtNXeptHpxZ/bm/LBj1mNimflJhfUj29COD9Yo7xyXVkblT4q/Zy99awmTMm6dnhePNAZOc+/jI9TebPq42H0kz70OAEEnlj782VwCmbrsa5kA/y8MqRmDahqPls1HyMOVeEoW1y6WTZ2IKayiQYaHvrE4kg38+Dr5osH8/Yt7MtQuJFAiLwzt/wnHeL9Hp3BEIhYP5Z3YrGlO3evpztMRAsOXrqmzM1Eo9gQ9t0mpapZkJT4dge/Wc0L2ZA9+5fBtKjvIyRLRRUyQ3gIN+EbBE2I+ybz7aS8glHUMzLNE/EcWQAtw7CLbJOX9UFxMI8+hSK5OULyj9rqv6IlQbVQd3H0T7UnNPTLunbU8wG5GvgdHp10qUCcZvh3lxDGqnS9xH6u7EgGVy
X-Forefront-Antispam-Report: CIP:80.241.58.36; CTRY:DE; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:plasma5.jpberlin.de; PTR:plasma5.jpberlin.de; CAT:NONE;
SFS:(13230001)(4636009)(316002)(70586007)(786003)(7116003)(508600001)(68406010)(31696002)(6966003)(83380400001)(34206002)(36756003)(31686004)(6266002)(2616005)(956004)(5660300002)(2906002)(33964004)(36916002)(26005)(235185007)(356005)(336012)(86362001)(3480700007)(7636003)(7596003)(8676002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2022 07:41:26.5098 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 7ad95cf5-16da-492a-76f5-08da3a342587
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT066.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR01MB3957
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <8bca181e-086d-2fb1-037a-0975962a9be9@kania-online.de>
View all headers
Hi to all,

we have 4 ldap-provider ldap1.example.net to ldap4.example.net. We
securing the replication via kerberos, everything works fine between the
providers. But now we want to set up some consumers. Between the
providers and the consumers a loadbalancer is located, so the consumers
only connect to the loadbalancer and the loadbalancer chooses one of the
providers. For the replication we put the fqdn from the loadbalancer
into the configuration. The fqdn is ldap.example.net. We then created a
host-principal and a service-principal for ldap.example.net and we put
the host-key into /etc/krb5.keytab of all ldap-providers the same with
the service-key. So now all provider can use both, the own keys and the
keys from the loadbalancer. But it's not working :-(. In the log of the
provider we see that the consumer connects. ldaps is working. But
kerberos failed with the following messages:
--------------------
SASL [conn=5032] Failure: GSSAPI Error:  Miscellaneous failure (see
text) (Decrypt integrity check failed for checksum type
hmac-sha1-96-aes256, key type aes256-cts-hmac-sha1-96)

slapd[59382]: conn=5032 op=0 RESULT tag=97 err=49 qtime=0.000028
etime=0.017274 text=SASL(-13): authentication failure: GSSAPI Failure:
gss_accept_sec_context

--------------------
The same user we are using works without using the loadbalancer. If our
solution is wrong, what would be the right way to use a loadbalancer
together with kerberos?

Stefan






Attachments: smime.p7s (application/pkcs7-signature)
1
rocksolid light 0.7.2
clearneti2ptor