Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  nodelist  faq  login

A rolling disk gathers no MOS.


computers / comp.protocols.kerberos / Re: Kerberos through loadbalancer

SubjectAuthor
o Re: Kerberos through loadbalancerRuss Allbery

1
Subject: Re: Kerberos through loadbalancer
From: Russ Allbery
Newsgroups: comp.protocols.kerberos
Organization: The Eyrie
Date: Fri, 20 May 2022 16:45 UTC
References: 1 2
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!feed1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: eag...@eyrie.org (Russ Allbery)
Newsgroups: comp.protocols.kerberos
Subject: Re: Kerberos through loadbalancer
Date: Fri, 20 May 2022 09:45:07 -0700
Organization: The Eyrie
Lines: 37
Message-ID: <mailman.70.1653065185.8148.kerberos@mit.edu>
References: <8bca181e-086d-2fb1-037a-0975962a9be9@kania-online.de>
<875ym0xiek.fsf@hope.eyrie.org>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="4719"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
Cc: <kerberos@mit.edu>
To: Stefan Kania <stefan@kania-online.de>
Authentication-Results: mit.edu;
dmarc=none (p=none dis=none) header.from=eyrie.org
Authentication-Results: mit.edu; arc=pass
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1653065182; cv=pass;
b=mOUt97KRj17iB+Z4wtr5OUmRNfxFvJXLRha/ffv/F/pf77j7kB6A2+1pspzLnUei1tiQFzCR216mJtyyqIRFkED9FS7W07lacjb9xaU/h+vWxztIPzFr9eciYyJC2Qk8Y8yuMMxlipSiYgbmGgXbKaueuqygQTcysBfOn70eA3rAqXCX/EV2yiK+/P5nWnSlvbAFBhm/9b4FthEwCLMHlkSPfoGVYG2WBVAGG7KMKFLY57Hxwn9jDw+yU1FwBYj8vRYBU7ItJCINeWzmeB4Y3gFrd5YoPKhZpG6XM+0j1LF7fxbwI5yZHD6HLqpnDSPdpmomJWXTBF0tIbGPa+hJiA==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1653065182;
c=relaxed/relaxed; bh=Ntkh0gOXB25+RAdnDkdwsxFiTbbyUi2WrxAcyA5ROfg=;
h=From:Subject:Date:Message-ID:MIME-Version:Content-Type;
b=0UyN+tlaqDrfkFlxp49aDcMQe0BaMQri3x4vESyY2m8mtg8njGDbLKh4vkKFinsuHDQfQMpGyQRlIe16CgNxu1PUA8xJCIsOEEtABdtnEZsjG3U/+7mzZqRCliq7yM/RYoDITVU4P8/LTodb9lgc/gf4lowayvDO9/qEDVt7Qq5sjj9uqhF9tbMeWaeD6g9PNNi6J8eBFwNA5RNF7nOBnlRv4dDM5BecFXRlSUJfLS+51mbTxIG2LT7DP0p9avvZksHq7WvbMmvwieWodpMTGenXb5cE8PDA64DJqV+IV32FMOnqoJcVox3coXYwEA42IBxHUskiwyxCVl5m9CapdA==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key)
header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com
header.b=oC7oYT3d; arc=pass
Authentication-Results: mit.edu;
dkim=pass (1024-bit key) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.b=oC7oYT3d
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=cmXoJF/S7FCqpNmRqkEa9mvulHZvdKFJzfuVMio+YzhHpDaugT0/bWHc8hyvebU1S483qUigt0TSVUXDzB9CjbmZdtkh6pFZhag00LcaPwpsLFm/y8foKbuuDoEsMFovArBrb9iVLgilQdo/LjO2wgkTi4s5Oqq7vOd5+IRQQp+k3F9chSK6WLRBYJHHNxB/qWzwy2MT/8M0Cda+bcISZOXa1KSvKZ9APNv63s6QGgjDZwbYztWeRl9CG4DTwCRFLvxMJpEqu4+4s4XxXHMuXHpvqnF96I04vMdOpvKgURIUTmpRvoxMNuDjBBZ4p/vOuLaXgmcZzfxnYJBalWTF/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=Ntkh0gOXB25+RAdnDkdwsxFiTbbyUi2WrxAcyA5ROfg=;
b=kgG5Uczpkkz/A90YPmdba4OotAXH5Z6jejMlu0/S0VSRNl5XZnHq/BeTOm5E2jID4ZKEou5HATV/QYztyUUfXNi0RTP9cVAm6aKAdKDe+1qmU7+Kmwdp8ntWf+vQfgdH8qWuf3VrZ6IpaskcAPa3FqwjGF16PnxyIB4buHDlIDynaGW2oy2YEGBSMTwSBuLL0KBHwRtvzKhVnL9Uw6faimA36MHFmt110MjNtUkaCX+Ih+vcBbTnp6aKsz/vpWO3czA73cYJKWNsTnFzGTxgOSGAjciWYIQcpY0dJKwBviQAuYDqwHZ+vzSPSik3cITzAqqEzK4CvjcsFCFyVBuGxQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
166.84.7.159) smtp.rcpttodomain=mit.edu smtp.mailfrom=eyrie.org;
dmarc=bestguesspass action=none header.from=eyrie.org; dkim=none (message not
signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=Ntkh0gOXB25+RAdnDkdwsxFiTbbyUi2WrxAcyA5ROfg=;
b=oC7oYT3dyhVnAdE//YJB/F5MzVgtSijdavktA68LaF0KIqBDSIAKo1ykTIff4nLOPaJHu1buW/GWEs+6ys9xQHLrM1dxkEQsqtsIOoUT38Z+qfk3RTFZ4r/qcjjEQIgV7Y/uDy0u6BnRKE+ZgNseXXtUtnaNbFmMMTItseHU9qU=
Authentication-Results: spf=pass (sender IP is 166.84.7.159)
smtp.mailfrom=eyrie.org; dkim=none (message not signed)
header.d=none;dmarc=bestguesspass action=none header.from=eyrie.org;
Received-SPF: Pass (protection.outlook.com: domain of eyrie.org designates
166.84.7.159 as permitted sender) receiver=protection.outlook.com;
client-ip=166.84.7.159; helo=haven.eyrie.org; pr=C
In-Reply-To: <8bca181e-086d-2fb1-037a-0975962a9be9@kania-online.de> (Stefan
Kania's message of "Fri, 20 May 2022 09:41:20 +0200")
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: f182f8e6-31a2-4c46-5bd4-08da3a801b21
X-MS-TrafficTypeDiagnostic: MW2PR0102MB3500:EE_
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-Microsoft-Antispam-PRVS: <MW2PR0102MB3500EFDDEE62855A283AFB1FA6D39@MW2PR0102MB3500.prod.exchangelabs.com>
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: BbsABY0NAgEWbV7JVCzSVJivunUliU1X4FAG3x0aXqNI5EMZxGhWL2b1BrbAaDYbODOEPFaDnvP0Azgdkhwo8ftz4u8Z6OfoV5hplntSr8+S/k/DB2BMulFTzdgEO6R0q2/Y/5n1ok9YQOJVtNwEoYCpa3BMYbzpSUTlQziteZskxjptAUdM7vGTcbJGFc7z0bN5Zqu4lA/azuoYW6BXYG6/n+VzM2Gc2r/QgabNGbpHCx2CR/32tXqDq3QMbN71LnFCTvq3kvCekMZl0F+q9mpNn3782la0sqLaf703pCbsNT9n9jCpIToqC2ceosmgSKUCuiGgNLZ22pVRHb3Zs2O8dTi8Uj/7O/wezsp75N0Q1W2jwHc1coUhBG1zv0GIBtdKDvG3Poz4Z/9W29CmUX27KsSxKhWq5jf71KddajJrIv1cqYT9+1JnY45fV1TPf7wo8wwjKwbIdJkHAtpQRBOy3OkuTe0PigQ69NMxrspzadnkMmMmp9C01XN5cZ+3id/Y5q/zuTtGZgU9ZF6cgd/Xf38TnM7Oh+a1euaAM25Ku6FWbK2eYsGPr3/yRrdPykvw086y4clGr0vuGnRbxwI8kAuq9bYaH4IzS4OY8yub+W5w8dnHK4jUxI2p6VcpBHj8XhKmW2BHeaf0LxxmYyRgcdYqFa3k/hoK4x/LwFCi3oblerQ4mV/0DuiHIx7dnCIBKfH+3szE6D31+KtbGQ==
X-Forefront-Antispam-Report: CIP:166.84.7.159; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:haven.eyrie.org; PTR:haven.eyrie.org; CAT:NONE;
SFS:(13230001)(4636009)(508600001)(786003)(70586007)(8676002)(4326008)(7116003)(68406010)(5660300002)(42186006)(316002)(2906002)(6862004)(26005)(36916002)(7636003)(3480700007)(336012)(426003)(83380400001)(6266002)(86362001)(7596003)(356005);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 May 2022 16:45:10.9867 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f182f8e6-31a2-4c46-5bd4-08da3a801b21
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT023.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR0102MB3500
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <875ym0xiek.fsf@hope.eyrie.org>
X-Mailman-Original-References: <8bca181e-086d-2fb1-037a-0975962a9be9@kania-online.de>
View all headers
Stefan Kania <stefan@kania-online.de> writes:

we have 4 ldap-provider ldap1.example.net to ldap4.example.net. We
securing the replication via kerberos, everything works fine between the
providers. But now we want to set up some consumers. Between the
providers and the consumers a loadbalancer is located, so the consumers
only connect to the loadbalancer and the loadbalancer chooses one of the
providers. For the replication we put the fqdn from the loadbalancer
into the configuration. The fqdn is ldap.example.net. We then created a
host-principal and a service-principal for ldap.example.net and we put
the host-key into /etc/krb5.keytab of all ldap-providers the same with
the service-key. So now all provider can use both, the own keys and the
keys from the loadbalancer. But it's not working :-(.

Two things to check:

First, how did you put the service kep for ldap/ldap.example.net onto each
host?  If you used ktadd via kadmin, you alas did not do that.  Each time
you downloaded the keytab entry, ktadd randomized the key again, so only
the last host on which you put the key has a correct key and all of the
rest have incorrect keys.

You have to either manually copy the keytab file between hosts without
running ktadd again, or somehow use -norandkey to generate the keytab
entry.

If that's not the problem, it used to be that you had to apply a one-line
patch to Cyrus SASL to prevent it from forcing Kerberos to only use the
keytab entry that it thought corresponded to the local hostname, which
otherwise would prevent this trick from working.  I thought Cyrus SASL
upstream had finally taken that patch and included it in a release, but
maybe you're using an old version of Cyrus SASL?  I don't remember what
error message that used to produce, though, so maybe this is a different
problem.

--
Russ Allbery (eagle@eyrie.org)             https://www.eyrie.org/~eagle/


1
rocksolid light 0.7.2
clearneti2ptor