Debugging connections through load balancers. - Kerberos

This is a discussion on Debugging connections through load balancers. - Kerberos ; I've got a kerberized service that worked fine before I started trying to use it through a load balancer. (I'm saying that for background, not because I didn't think it should matter.) So the current situation is that I've changed ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Debugging connections through load balancers.

  1. Debugging connections through load balancers.

    I've got a kerberized service that worked fine before I started
    trying to use it through a load balancer. (I'm saying that for
    background, not because I didn't think it should matter.)

    So the current situation is that I've changed /etc/hosts and /etc/
    nodename to contain the FQDN of the balancer. The server *thinks*
    its name is the balancer's name. A connection to the balancer does
    get to the real server. The server's keytab has entries for both its
    real name and the balancer's name. Doesn't work. (Interestingly a
    direct connection that bypasses the balancer still works; I wouldn't
    have expected that.)

    So how do I go about debugging something like this?

    My next step would be to snoop the connection and feed it to
    ethereal, probably with lots of keys available so it can decode
    everything. Is there anything better to try? Is there any way to
    get the kerberos libs to say what (if anything) they are trying to
    get out of the keytab?

    If it matters, the service is Sun LDAP 5.2 on Solaris 9.
    ------------------------------------------------------------------------
    ----
    The opinions expressed in this message are mine,
    not those of Caltech, JPL, NASA, or the US Government.
    Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Debugging connections through load balancers.

    >I've got a kerberized service that worked fine before I started
    >trying to use it through a load balancer. (I'm saying that for
    >background, not because I didn't think it should matter.)
    >
    >So the current situation is that I've changed /etc/hosts and /etc/
    >nodename to contain the FQDN of the balancer. The server *thinks*
    >its name is the balancer's name. A connection to the balancer does
    >get to the real server. The server's keytab has entries for both its
    >real name and the balancer's name. Doesn't work. (Interestingly a
    >direct connection that bypasses the balancer still works; I wouldn't
    >have expected that.)
    >
    >So how do I go about debugging something like this?


    What kind of error do you get? "Key table entry not found", or
    something like that?

    >My next step would be to snoop the connection and feed it to
    >ethereal, probably with lots of keys available so it can decode
    >everything. Is there anything better to try? Is there any way to
    >get the kerberos libs to say what (if anything) they are trying to
    >get out of the keytab?


    Sniffing the network will probably not be useful; the application
    server won't be sending anything useful over the network. Normally
    I have a full debugging build of Kerberos for this occasion ...
    but that doesn't sound like an option here.

    >If it matters, the service is Sun LDAP 5.2 on Solaris 9.


    A SASL server, which means GSSAPI; figures. And it doesn't seem like it's
    open source, either.

    Some GSSAPI apps expect that the ticket will be for "service/",
    where is what is returned by "hostname". When you say
    the server "thinks" it's the balancer ... how did you tell it that?
    You changed it's hostname? You changed it's idea of it's name for it's
    IP address?

    --Ken
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread