Wrong principal in request using virt interface

Edward Murrell edward at dlconsulting.com
Mon Jan 29 20:13:41 EST 2007


petesea at bigfoot.com wrote:
>
> Sorry, I guess I wasn't very clear.  The servers aren't KDCs, they are 
> CVS/Subversion servers accessed via OpenSSH using GSSAPI Authentication 
> and GSSAPI Key Exchange.
>
> In the very simplest case we would have 2 hosts -- one for CVS and one 
> for Subversion.  If one of the hosts fails, the service running on that 
> host (eg CVS) can be moved to the other host simply by remounted the 
> filesystem and moving the virtual interface.  From the clients perspective 
> all they will (hopefully) notice is a slight delay, after which the same 
> data will be available via the same hostname and IP address.
Wouldn't it be easier to have both on the same host, and then use
different cnames in the DNS?
Eg, if the machine is called gort.home.org, then have;

cvs.home.org -> gort.home.org (CNAME record)
svn.home.org -> gort.home.org (CNAME record)

gort.home.org -> 192.186.0.2 (A record)
192.168.0.2     -> gort.home.org (RNDS PTR record)

That way you could have all your aliases, and be able to change the machiens easily and not have to deal with multiple IPs.


~Edward




More information about the Kerberos mailing list