News, tips, partners, and perspectives for the Oracle Solaris operating system

Configuring HA Kerberos in Sun Cluster 3.2

Guest Author
One of the major features of Sun Cluster 3.2 is the support for Kerberos. A new Kerberos Agent has been designed. The Kerberos Agent supports 2 other important features of Sun Cluster 3.2 release namely, HA ZFS and application support in non-global zones.
To learn more about the Kerberos Service, please refer to this document.
Do the following steps in one of the cluster nodes or its zone.
1.) Edit the krb5.conf file and make the changes necessary for your realm. For assistance, read the kerberos doc in the following location: http://docs.sun.com/app/docs/doc/816-4557/6maosrjl0?a=view
bash-3.00# cat /etc/krb5/krb5.conf
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# ident "@(#)krb5.conf 1.3 04/03/25 SMI"
# krb5.conf template
# In order to complete this configuration file
# you will need to replace the __<name>__ placeholders
# with appropriate values for your network.
default_realm = SUN.COM
kdc = <logical hostname>.sun.com
admin_server = <logical hostname>.sun.com
.sun.com = SUN.COM
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.
period = 1d
# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
versions = 10
kinit = {
renewable = true
forwardable= true
gkadmin = {
help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
2.) Make modifications for kdc.conf and if required make dbprop entries.
bash-3.00# cat /etc/krb5/kdc.conf
# Copyright 1998-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#ident "@(#)kdc.conf 1.2 02/02/14 SMI"
kdc_ports = 88,750
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +preauth
sunw_dbprop_enable = true
sunw_dbprop_master_ulogsize = 1000
3.) Modify the acl as it is used by probe,
bash-3.00# cat /etc/krb5/kadm5.acl
# Copyright (c) 1998-2000 by Sun Microsystems, Inc.
# All rights reserved.
#pragma ident "@(#)kadm5.acl 1.1 01/03/19 SMI"
\*/admin@SUN.COM \*
4.) Create the necessary principals. Listed below are the minimal principals required for Sun Cluster resource.
bash-3.00# kadmin.local
Authenticating as principal root/admin@SUN.COM with password.
kadmin.local: list_principals
changepw/<logical hostname>.sun.com@SUN.COM
kadmin/<logical hostname>.sun.com@SUN.COM
kiprop/<logical hostname>.sun.com@SUN.COM
5.) Create the RG.
clrg create -n <nodelist> -z <zone list> krb-rg
<nodelist> = <node>/ <node:zone>
6.) Add the Logical Hostname.
clrs create -p Netiflist=<sc_ipmp<#>@<node #>,...> -g krb-rg <logical host>
7.) Create the directory to store krb files on all member nodes including zones and mount it on the cluster filesystem/shared filesystem if HASP resource is not used:
bash-3.00# mkdir /global/krb
Optional step: Add the zfs or regular volume if you want to use Highly Available Storage resource. i.e HAStoragePlus
bash-3.00# clrs create -t SUNW.HAStoragePlus -p Zpools=<poolname> -g krb-rg zfs
bash-3.00# clrs create -t SUNW.HAStoragePlus -p AffinityOn=true -p Filesystemmountpoints=/global/krb -g krb-rg hasp
bash-3.00# clrg manage krb-rg
bash-3.00# clrg online krb-rg
8.) Create 2 sub-directories for a) Configuration files b) log files:
bash-3.00# mkdir -p /global/krb/conf
bash-3.00# mkdir -p /global/krb/db
9.) Copy the files to the directories:
bash-3.00# cp -r /etc/krb5 /global/krb/conf
bash-3.00# cp -r /var/krb5 /global/krb/db
10.) rename the standard directories on all nodes and zones part of the RG:
bash-3.00# mv /etc/krb5 /etc/krb5.old
bash-3.00# mv /var/krb5 /var/krb5.old
11.) create soft links from the shard fs to the standard directories by switching the rg to the nodes/zones:
bash-3.00# ln -s /global/krb/conf/krb5 /etc/krb5
bash-3.00# ln -s /global/krb/db/krb5 /var/krb5
12.) Now register the kerberos RT:
bash-3.00# clresourcetype register SUNW.krb5
13.) Verify prerequisites:
a) /etc/resolv.conf is present and has entries for nameserver and domain, matching the entries in krb5.conf
b) Edit nsswitch.conf and set hosts to resolve to dns also.
14.) Add the kerberos resource to the existing RG and enable it
bash-3.00# clrs create -t SUNW.krb5 -p resource_Dependencies=hasp -g krb-rg krb5
bash-3.00# clrs enable krb5
Madhan Kumar Balasubramanian,
Sun Cluster Engineering

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.