question Re: Can kerberos kdc be configured with a vip for HA/loadbalancing purposes? in Support Questions

Can kerberos kdc be configured with a vip for HA/loadbalancing purposes?

wgonzalez — Wed, 14 Oct 2015 20:29:47 GMT

While trying to configure kdc with a Virtual IP, we are getting the below error

Could not find user in Kerberos database

Ambari fails the install.

VIP is needed for loadbalancing and HA.

When single node IP is used for kdc, then the install is successful.

Re: Can kerberos kdc be configured with a vip for HA/loadbalancing purposes?

hkropp — Wed, 14 Oct 2015 20:49:41 GMT

I don't think a VIP is necessary, in your krb5.conf you simply set multiple kdc entries. For admin kdc just one. I think only master slave model is possible with MIT Kerberos. See here for sample: http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html#sample-krb5-conf-file

As changes to the kdc are rare, as you will not add people users to the project every day, as simple sync between two kdc is sufficient as is the Master Slave model.

Re: Can kerberos kdc be configured with a vip for HA/loadbalancing purposes?

pcodding — Wed, 14 Oct 2015 21:14:59 GMT

I'm working on adding an (Optional) step in this doc: http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.0/bk_Ambari_Security_Guide/content/_launching_the_kerberos_wizard_automated_setup.htmlthat mentions how to alter the Advanced krb5-conf template to include another kdc entry. That's all you need to do to @hkropp's point is mention each individual KDC and the Kerberos client will deal with failover in the event one is unavailable. Something like this:

kdc = {{kdc_host}}
kdc = host2.hortonworks.local
kdc = host3.hortonworks.local

The {{kdc_host}} is substituted for the host that you have configured in the KDC Host input field. In future versions we'll make this KDC Hosts (comma-separated) to make it easier.

Re: Can kerberos kdc be configured with a vip for HA/loadbalancing purposes?

wgonzalez — Tue, 20 Oct 2015 05:10:35 GMT

Sorry, my question had a 2 part. Sorry I did not make that clear.

Setting up different kdcs as suggested above works for configuration and HA.

However, the user wants to configure a kdc with a load balancer to ease up the traffic.

if 2 kdcs are setup, then users can still connect to the heavy used one instead of being redirected to the idle one via loadbalancer. Does this make sense?

Re: Can kerberos kdc be configured with a vip for HA/loadbalancing purposes?

nsabharwal — Sun, 31 Jan 2016 23:40:02 GMT

@William Gonzalez Thanks for raising this!!

Re: Can kerberos kdc be configured with a vip for HA/loadbalancing purposes?

nsabharwal — Sun, 31 Jan 2016 23:41:43 GMT

Thanks @Paul Codding for taking care of this...very helpful to have in official docs.