AW: kerberos linux cluster authorization against AD

Schreiber Martin msr at tuv.at
Mon Jan 24 05:14:16 EST 2011


 

Hello Mark,


Thanks a lot for your info. On the AD I deleted all "old" entries , followed your suggestions and all worked as expected. I really thought to complex. THX again to point me in the right direction.


Best Regards	Martin  Schreiber

Mit freundlichen Grüßen Martin SCHREIBER

-----------------------------------------------------------
Martin SCHREIBER
TÜV AUSTRIA HOLDING AG
Krugerstraße 16 1015 Wien/Österreich
Tel.: +43 (0)1 514 07-6050
Fax: +43 (0)1 514 07-76030
E-Mail: msr at tuv.at
RSS-Feed: http://rss.tuv.at/news_de.xml
http://www.tuv.at
-----------------------------------------------------------

Sitz: Krugerstraße 16 1015 Wien/Österreich
Vorsitzender des  Aufsichtsrates: KR Dipl.-Ing. Johann MARIHART
Vorstand: Dipl.-Ing. Dr. Hugo EBERHARDT (Vorsitzender), Mag. Christoph WENNINGER
Firmenbuchgericht/ -nummer: Wien / FN 286107 x

-----Ursprüngliche Nachricht-----
Von: Mark Pröhl [mailto:mark at mproehl.net] 
Gesendet: Freitag, 21. Januar 2011 19:14
An: kerberos at mit.edu; Schreiber Martin
Betreff: Re: kerberos linux cluster authorization against AD

Hello,

create a service principal that contains the dns hostname of the virtual IP (the name associated with 10.10.11.149): HTTP/<fqdn of vip>

use ktpass.exe to create a keytab for that principal

copy that keytab to both nodes

Regards,

Mark Pröhl


On 01/21/2011 09:05 AM, Schreiber Martin wrote:
> Hello List !
>
> Today I´m a liitle bit more detailed...
>
> First a scheme of our environment
>
>
>
>
>                                      |---------------------------------------------------------->  AD
>                         virtual cluster  |
>                    |--------------------------|---|
>          ----------|---------             -------|---------
>          |                   |            |                |
>          |                   |            |                |
>          |                   |            |                |
>          |     node1     |            |  node2      |
>          ^------------------|            |-----------------|
>
>
>
> virtual cluster ip  =  10.10.11.149
> node1 ip            =  10.10.11.147
> node2 ip            =  10.10.11.148
>
>
> The cluster is realized with Suse Linux SLES 11 Sp1 and the LVS toolset(ipvsadm, ldirecord) ; the  cluster is actice/active  with apache and tomcat running on each physical node. It is planned to authenticate the environment via mod_auth_kerb against Active Directory. As I explained in my first mail , that works if I do that with one physical node only. I followed the well known howtos and made kerberos tickets and keytabs which where copied to the linux node. After configuring the apache clients all worked as expected, the AD users could access the apache websites without any user and passwords interactions.
>
> Trouble began with "kerberizing" the cluster itself.  I createed keytabs for both phisical nodes via ktpass utility and copied the keys to the nodes. A kinit was successfull . But authrization was impossible , the logs showed me error messages, because the request for webaccesss was directed to the "virtual"  cluster address , which is pretty ok and expected . Now my question , how to "kerberize"  the VIRTUAL CLUSTER IP   ??
>
> What did I overlook.  Perhaps that approach is really impossible ?  Is there a workaround to make this happen ?
>
>
> Best Regards            Martin  Schreiber
>
>
> Mit freundlichen Grüßen
> Martin SCHREIBER
>
> ________________________________
> Martin SCHREIBER
> TÜV AUSTRIA HOLDING AG
> Krugerstraße 16
> 1015 Wien/Österreich
> Tel.: +43 (0)1 514 07-6050
> Fax: +43 (0)1 514 07-76030
> E-Mail: msr at tuv.at<mailto:msr at tuv.at>
> RSS-Feed: http://rss.tuv.at/news_de.xml 
> http://www.tuv.at<http://www.tuv.at/>
> ________________________________
>
> Sitz: Krugerstraße 16 1015 Wien/Österreich Vorsitzender des 
> Aufsichtsrates: KR Dipl.-Ing. Johann MARIHART
> Vorstand: Dipl.-Ing. Dr. Hugo EBERHARDT (Vorsitzender), Mag. Christoph 
> WENNINGER Firmenbuchgericht/ -nummer: Wien / FN 286107 x
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos





More information about the Kerberos mailing list