Configuring HA Kerberos in Sun Cluster 3.2

One of the major features of Sun Cluster 3.2 is the support for Kerberos. A new Kerberos Agent has been designed. The Kerberos Agent supports 2 other important features of Sun Cluster 3.2 release namely, HA ZFS and application support in non-global zones.

To learn more about the Kerberos Service, please refer to this document.

Do the following steps in one of the cluster nodes or its zone.

CONFIGURING KERBEROS:
=====================

1.) Edit the krb5.conf file and make the changes necessary for your realm. For assistance, read the kerberos doc in the following location: http://docs.sun.com/app/docs/doc/816-4557/6maosrjl0?a=view

bash-3.00# cat /etc/krb5/krb5.conf
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)krb5.conf 1.3 04/03/25 SMI"
#

# krb5.conf template
# In order to complete this configuration file
# you will need to replace the __<name>__ placeholders
# with appropriate values for your network.
#
[libdefaults]
default_realm = SUN.COM

[realms]
SUN.COM = {
kdc = <logical hostname>.sun.com
admin_server = <logical hostname>.sun.com
}

[domain_realm]
.sun.com = SUN.COM

[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.

period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)

versions = 10
}

[appdefaults]
kinit = {
renewable = true
forwardable= true
}
gkadmin = {
help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}

2.) Make modifications for kdc.conf and if required make dbprop entries.

bash-3.00# cat /etc/krb5/kdc.conf
#
# Copyright 1998-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#ident "@(#)kdc.conf 1.2 02/02/14 SMI"

[kdcdefaults]
kdc_ports = 88,750

[realms]
SUN.COM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
sunw_dbprop_enable = true
sunw_dbprop_master_ulogsize = 1000
}

3.) Modify the acl as it is used by probe,

bash-3.00# cat /etc/krb5/kadm5.acl
#
# Copyright (c) 1998-2000 by Sun Microsystems, Inc.
# All rights reserved.
#
#pragma ident "@(#)kadm5.acl 1.1 01/03/19 SMI"

\*/admin@SUN.COM \*

4.) Create the necessary principals. Listed below are the minimal principals required for Sun Cluster resource.

bash-3.00# kadmin.local
Authenticating as principal root/admin@SUN.COM with password.
kadmin.local: list_principals
K/M@SUN.COM
changepw/<logical hostname>.sun.com@SUN.COM
changepw/<clusternode>@SUN.COM
kadmin/admin@SUN.COM
kadmin/changepw@SUN.COM
kadmin/history@SUN.COM
kadmin/<logical hostname>.sun.com@SUN.COM
kadmin/@SUN.COM
kiprop/<logical hostname>.sun.com@SUN.COM
krbtgt/SUN.COM@SUN.COM
kws/admin@SUN.COM
kadmin.local:q

CLUSTER CONFIGURATION:
======================

5.) Create the RG.

clrg create -n <nodelist> -z <zone list> krb-rg
<nodelist> = <node>/ <node:zone>

6.) Add the Logical Hostname.

clrs create -p Netiflist=<sc_ipmp<#>@<node #>,...> -g krb-rg <logical host>

7.) Create the directory to store krb files on all member nodes including zones and mount it on the cluster filesystem/shared filesystem if HASP resource is not used:

bash-3.00# mkdir /global/krb

Optional step: Add the zfs or regular volume if you want to use Highly Available Storage resource. i.e HAStoragePlus

zfs:

bash-3.00# clrs create -t SUNW.HAStoragePlus -p Zpools=<poolname> -g krb-rg zfs

volume:

bash-3.00# clrs create -t SUNW.HAStoragePlus -p AffinityOn=true -p Filesystemmountpoints=/global/krb -g krb-rg hasp

bash-3.00# clrg manage krb-rg

bash-3.00# clrg online krb-rg

8.) Create 2 sub-directories for a) Configuration files b) log files:

bash-3.00# mkdir -p /global/krb/conf
bash-3.00# mkdir -p /global/krb/db

9.) Copy the files to the directories:

bash-3.00# cp -r /etc/krb5 /global/krb/conf

bash-3.00# cp -r /var/krb5 /global/krb/db

10.) rename the standard directories on all nodes and zones part of the RG:

bash-3.00# mv /etc/krb5 /etc/krb5.old

bash-3.00# mv /var/krb5 /var/krb5.old

11.) create soft links from the shard fs to the standard directories by switching the rg to the nodes/zones:

bash-3.00# ln -s /global/krb/conf/krb5 /etc/krb5

bash-3.00# ln -s /global/krb/db/krb5 /var/krb5

12.) Now register the kerberos RT:

bash-3.00# clresourcetype register SUNW.krb5

13.) Verify prerequisites:

a) /etc/resolv.conf is present and has entries for nameserver and domain, matching the entries in krb5.conf

b) Edit nsswitch.conf and set hosts to resolve to dns also.

14.) Add the kerberos resource to the existing RG and enable it

bash-3.00# clrs create -t SUNW.krb5 -p resource_Dependencies=hasp -g krb-rg krb5

bash-3.00# clrs enable krb5

Madhan Kumar Balasubramanian,
Sun Cluster Engineering

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

mkb

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today