kerberos linux cluster authorization against AD
Schreiber Martin
Hello List !
Today I´m a liitle bit more detailed...
First a scheme of our environment
|----------------------------------------------------------> AD
virtual cluster |
|--------------------------|---|
----------|--------- -------|---------
| | | |
| | | |
| | | |
| node1 | | node2 |
^------------------| |-----------------|
virtual cluster ip = 10.10.11.149
node1 ip = 10.10.11.147
node2 ip = 10.10.11.148
The cluster is realized with Suse Linux SLES 11 Sp1 and the LVS toolset(ipvsadm, ldirecord) ; the cluster is actice/active with apache and tomcat running on each physical node. It is planned to authenticate the environment via mod_auth_kerb against Active Directory. As I explained in my first mail , that works if I do that with one physical node only. I followed the well known howtos and made kerberos tickets and keytabs which where copied to the linux node. After configuring the apache clients all worked as expected, the AD users could access the apache websites without any user and passwords interactions.
Trouble began with "kerberizing" the cluster itself. I createed keytabs for both phisical nodes via ktpass utility and copied the keys to the nodes. A kinit was successfull . But authrization was impossible , the logs showed me error messages, because the request for webaccesss was directed to the "virtual" cluster address , which is pretty ok and expected . Now my question , how to "kerberize" the VIRTUAL CLUSTER IP ??
What did I overlook. Perhaps that approach is really impossible ? Is there a workaround to make this happen ?
Best Regards Martin Schreiber
Mit freundlichen Grüßen
Martin SCHREIBER
________________________________
Martin SCHREIBER
TÜV AUSTRIA HOLDING AG
Krugerstraße 16
1015 Wien/Österreich
Tel.: +43 (0)1 514 07-6050
Fax: +43 (0)1 514 07-76030
E-Mail: m...@tuv.at<mailto:m...@tuv.at>
RSS-Feed: http://rss.tuv.at/news_de.xml
http://www.tuv.at<http://www.tuv.at/>
________________________________
Sitz: Krugerstraße 16 1015 Wien/Österreich
Vorsitzender des Aufsichtsrates: KR Dipl.-Ing. Johann MARIHART
Vorstand: Dipl.-Ing. Dr. Hugo EBERHARDT (Vorsitzender), Mag. Christoph WENNINGER
Firmenbuchgericht/ -nummer: Wien / FN 286107 x
Mark Pröhl
create a service principal that contains the dns hostname of the virtual
IP (the name associated with 10.10.11.149): HTTP/<fqdn of vip>
use ktpass.exe to create a keytab for that principal
copy that keytab to both nodes
Regards,
Mark Pröhl
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
Schreiber Martin
Hello Mark,
Thanks a lot for your info. On the AD I deleted all "old" entries , followed your suggestions and all worked as expected. I really thought to complex. THX again to point me in the right direction.
Best Regards Martin Schreiber
Mit freundlichen Gr��en Martin SCHREIBER
-----------------------------------------------------------
Martin SCHREIBER
T�V AUSTRIA HOLDING AG
Krugerstra�e 16 1015 Wien/�sterreich
Tel.: +43 (0)1 514 07-6050
Fax: +43 (0)1 514 07-76030
E-Mail: m...@tuv.at
-----------------------------------------------------------
Sitz: Krugerstra�e 16 1015 Wien/�sterreich
Vorsitzender des Aufsichtsrates: KR Dipl.-Ing. Johann MARIHART
Vorstand: Dipl.-Ing. Dr. Hugo EBERHARDT (Vorsitzender), Mag. Christoph WENNINGER
Firmenbuchgericht/ -nummer: Wien / FN 286107 x
-----Urspr�ngliche Nachricht-----
Von: Mark Pr�hl [mailto:ma...@mproehl.net]
Gesendet: Freitag, 21. Januar 2011 19:14
An: kerb...@mit.edu; Schreiber Martin
Betreff: Re: kerberos linux cluster authorization against AD
Hello,
create a service principal that contains the dns hostname of the virtual IP (the name associated with 10.10.11.149): HTTP/<fqdn of vip>
use ktpass.exe to create a keytab for that principal
copy that keytab to both nodes
Regards,
Mark Pr�hl
On 01/21/2011 09:05 AM, Schreiber Martin wrote:
> Hello List !
>
> Today I�m a liitle bit more detailed...
>
> First a scheme of our environment
>
>
>
>
> |----------------------------------------------------------> AD
> virtual cluster |
> |--------------------------|---|
> ----------|--------- -------|---------
> | | | |
> | | | |
> | | | |
> | node1 | | node2 |
> ^------------------| |-----------------|
>
>
>
> virtual cluster ip = 10.10.11.149
> node1 ip = 10.10.11.147
> node2 ip = 10.10.11.148
>
>
> The cluster is realized with Suse Linux SLES 11 Sp1 and the LVS toolset(ipvsadm, ldirecord) ; the cluster is actice/active with apache and tomcat running on each physical node. It is planned to authenticate the environment via mod_auth_kerb against Active Directory. As I explained in my first mail , that works if I do that with one physical node only. I followed the well known howtos and made kerberos tickets and keytabs which where copied to the linux node. After configuring the apache clients all worked as expected, the AD users could access the apache websites without any user and passwords interactions.
>
> Trouble began with "kerberizing" the cluster itself. I createed keytabs for both phisical nodes via ktpass utility and copied the keys to the nodes. A kinit was successfull . But authrization was impossible , the logs showed me error messages, because the request for webaccesss was directed to the "virtual" cluster address , which is pretty ok and expected . Now my question , how to "kerberize" the VIRTUAL CLUSTER IP ??
>
> What did I overlook. Perhaps that approach is really impossible ? Is there a workaround to make this happen ?
>
>
> Best Regards Martin Schreiber
>
>
> Mit freundlichen Gr��en
> Martin SCHREIBER
>
> ________________________________
> Martin SCHREIBER
> T�V AUSTRIA HOLDING AG
> Krugerstra�e 16
> 1015 Wien/�sterreich
> Tel.: +43 (0)1 514 07-6050
> Fax: +43 (0)1 514 07-76030
> E-Mail: m...@tuv.at<mailto:m...@tuv.at>
> RSS-Feed: http://rss.tuv.at/news_de.xml
> http://www.tuv.at<http://www.tuv.at/>
> ________________________________
>
> Sitz: Krugerstra�e 16 1015 Wien/�sterreich Vorsitzender des