kerberos linux cluster authorization against AD

Mark Pröhl mark at mproehl.net
Fri Jan 21 13:14:08 EST 2011 

Hello,

create a service principal that contains the dns hostname of the virtual 
IP (the name associated with 10.10.11.149): HTTP/<fqdn of vip>

use ktpass.exe to create a keytab for that principal

copy that keytab to both nodes

Regards,

Mark Pröhl


On 01/21/2011 09:05 AM, Schreiber Martin wrote:
> Hello List !
>
> Today I´m a liitle bit more detailed...
>
> First a scheme of our environment
>
>
>
>
>                                      |---------------------------------------------------------->  AD
>                         virtual cluster  |
>                    |--------------------------|---|
>          ----------|---------             -------|---------
>          |                   |            |                |
>          |                   |            |                |
>          |                   |            |                |
>          |     node1     |            |  node2      |
>          ^------------------|            |-----------------|
>
>
>
> virtual cluster ip  =  10.10.11.149
> node1 ip            =  10.10.11.147
> node2 ip            =  10.10.11.148
>
>
> The cluster is realized with Suse Linux SLES 11 Sp1 and the LVS toolset(ipvsadm, ldirecord) ; the  cluster is actice/active  with apache and tomcat running on each physical node. It is planned to authenticate the environment via mod_auth_kerb against Active Directory. As I explained in my first mail , that works if I do that with one physical node only. I followed the well known howtos and made kerberos tickets and keytabs which where copied to the linux node. After configuring the apache clients all worked as expected, the AD users could access the apache websites without any user and passwords interactions.
>
> Trouble began with "kerberizing" the cluster itself.  I createed keytabs for both phisical nodes via ktpass utility and copied the keys to the nodes. A kinit was successfull . But authrization was impossible , the logs showed me error messages, because the request for webaccesss was directed to the "virtual"  cluster address , which is pretty ok and expected . Now my question , how to "kerberize"  the VIRTUAL CLUSTER IP   ??
>
> What did I overlook.  Perhaps that approach is really impossible ?  Is there a workaround to make this happen ?
>
>
> Best Regards            Martin  Schreiber
>
>
> Mit freundlichen Grüßen
> Martin SCHREIBER
>
> ________________________________
> Martin SCHREIBER
> TÜV AUSTRIA HOLDING AG
> Krugerstraße 16
> 1015 Wien/Österreich
> Tel.: +43 (0)1 514 07-6050
> Fax: +43 (0)1 514 07-76030
> E-Mail: msr at tuv.at<mailto:msr at tuv.at>
> RSS-Feed: http://rss.tuv.at/news_de.xml
> http://www.tuv.at<http://www.tuv.at/>
> ________________________________
>
> Sitz: Krugerstraße 16 1015 Wien/Österreich
> Vorsitzender des Aufsichtsrates: KR Dipl.-Ing. Johann MARIHART
> Vorstand: Dipl.-Ing. Dr. Hugo EBERHARDT (Vorsitzender), Mag. Christoph WENNINGER
> Firmenbuchgericht/ -nummer: Wien / FN 286107 x
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list