[Freeipa-users] freeipa behind a load balancer

Matt . yamakasi.014 at gmail.com
Thu Apr 2 08:03:04 UTC 2015 

OK, to keep this updated.

With some Kerberos Guru's we have looked how IPA behaves when you
change all DNS names, PTR's and A's to the LB-er and all time you get
a ticket from the server service principal itself.

With kvno you can get a ticket for the loadbalancer but when you run
your "failing script" you also see a ticket coming back from the ipa
server itself.

I have seen some mailings from last year too with no solution... it
seems to be a showstopper on that part :(



2015-04-01 20:41 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
> Hi,
>
> I'm not gicing up on this, so I'm testing.
>
> I'm unsure at the moment about the keytab. The keytab is normally for
> the user that needs to be able to do "stuff", but in this case we need
> one for the loadbalancer name or the client .... maybe combined ?
>
> I lost that overvieuw... would be nice to get some advice here.
>
> Thanks!
>
> Matt
>
> 2015-03-31 21:23 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>> OK, but we need to do this using IPA or (as IPA does some things
>> different it seems).
>>
>> Anyone testing this perhaps ? (/me is multitasking atm)
>>
>> 2015-03-31 20:22 GMT+02:00 Rob Crittenden <rcritten at redhat.com>:
>>> Brendan Kearney wrote:
>>>> On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote:
>>>>> On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote:
>>>>>> But IPA is more complex and some operations will be performed directly
>>>>>> against the specific server name, so you need to keep 2 sets of keys
>>>>>> (one for the server name and one for the load balancer name), but that
>>>>>> does not work right now.
>>>>>
>>>>> One experiment that can be done is to remove all "per-server" HTTP
>>>>> services for the IPA server, and instead add their name as aliases on
>>>>> the common load-balancer name.
>>>>>
>>>>> This would mean that all IPA servers would have just one key in their
>>>>> HTTP keytab, but the KDC would release tickets readable by that key for
>>>>> any name the clients may ask for.
>>>>>
>>>>> It is a bit tricky, every time you build a replica you want to
>>>>> load-balance you'll have to go back and remove the service and switch
>>>>> keytabs, but it may be an option. Of course if you brick IPA then you
>>>>> get to keep the pieces :-)
>>>>>
>>>>> Simo.
>>>>>
>>>>
>>>> careful there, as kerberos balks at CNAME records.  i think you need to
>>>> use A records.  i ran into a couple odd issues and decided to only use
>>>> A/PTR records for my stuff and never went "exploring" for
>>>> options/alternatives.
>>>>
>>>
>>> Not DNS aliases, Kerberos principal alises.
>>>
>>> rob
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list