Registering and Configuring Sun Cluster HA for Kerberos

This section describes how to register and configure Sun Cluster HA for Kerberos.

How to Register and Configure Sun Cluster HA for Kerberos

Before You Begin

To perform this procedure, you need the following information about your configuration.

• The name of the resource type for Sun Cluster HA for Kerberos. This name is SUNW.krb5.

• The names of the cluster nodes and the non-global zones on the nodes that master the data service.

• The network resource that clients use to access the data service. You normally set up this IP address when you install the cluster. See the Sun Cluster Concepts Guide for Solaris OS document for details on network resources.

1. Become superuser on a cluster node.

2. Register the resource type for the data service.

   # clresourcetype register SUNW.krb5

3. Create a resource group for the network and Kerberos resources to use.

   # clresourcegroup create [-n node[,...]] resource-group

   -n node[,...]

   Specifies an optional comma-separated list of zones that can master this resource group. Each entry in this list has the format node. Where node is the node name and address and zone specifies the name of a non-global Solaris zone. To specify the global zone, or to specify a node without local zones, specify only node. These are the nodes or zones on which the data service can run. The order here determines the order in which the nodes or zones are considered as primary during failover. If all of the cluster nodes or zones are potential masters, you do not need to use the -n option.

   This list is optional. If you omit this list, the global zone of each cluster node can master the resource group.

4. Verify that all of the network resources that are to be used have been added to your name service database.

   You should have performed this verification during the Sun Cluster installation. See the Chapter 1, Planning the Sun Cluster Configuration, in Sun Cluster Software Installation Guide for Solaris OS for details.

   ---

   Note –

   To avoid any failures because of name service lookup, verify that all of the network resources are present in the server's and client's /etc/inet/hosts file. Configure name service mapping in the /etc/nsswitch.conf file on the servers to first check the local files before trying to access NIS or NIS+.

   ---

5. Add a logical hostname to a resource group.

   # clreslogicalhostname create -g resource-group \ -h logical-hostname,[logical-hostname] \ [-N netif@node[,...]] lhresource

   -g resource-group

   Specifies the name of the resource group. This name can be your choice but must be unique for a resource group within the cluster.

   -h logical-hostname

   Specifies a comma-separated list of network resources (logical hostname or shared address).

   -N netif@node[,...]

   Specifies an optional, comma-separated list that identifies the IP Networking Multipathing groups that are on each node. netif can be given as an IP Networking Multipathing group name, such as sc_ipmp0. The node can be identified by the node name or node ID, such as sc_ipmp0@1 or sc_ipmp@phys-schost-1. If you do not specify -N, the clreslogicalhostname command attempts to set the NetIfList property for you based on available IPMP groups or public adapters and the subnet associated with the HostnameList property.

   lhresource

   Specifies the logical hostname resource to be created in the associated resource group.

   ---

   Note –

   If you require a fully qualified hostname, you must specify the fully qualified name with the -h option and you cannot use the fully qualified form in the resource name.

   ---

   ---

   Note –

   Sun Cluster does not currently support the use of adapter names for netif.

   ---

6. Add a Kerberos application resource to the resource group.

   # clresource create -g resource-group -t SUNW.krb5 \ [-p Network_resources_used=network-resource, ...] \ [-p Port_list=port-number/protocol] resource

   -p Network_resources_used=network-resource, ...

   Specifies a comma-separated list of network resources (logical hostnames or shared addresses) that Kerberos will use. If you do not specify this property, the value defaults to all of the network resources that are contained in the resource group.

   -p Port_list=port-number/protocol

   Specifies a port number and the protocol to be used. If you do not specify this property, the value defaults to 88/tcp,749/tcp,88/udp.

   -t SUNW.krb5

   Specifies the name of the resource type to which this resource belongs. This entry is required.

   resource

   Specifies the name of the resource to be associated with the resource type SUNW.krb5.

   The resource is created in the enabled state.

7. Bring the resource group online:

   # clresourcegroup online -M resource-group

Example 1–1 Registering Failover Sun Cluster HA for Kerberos

The following example shows how to register Sun Cluster HA for Kerberos on a two-node cluster. At the end of this example, the clresourcegroup command starts Sun Cluster HA for Kerberos.

This example uses the following configuration parameters:

Cluster physical node names

pkdc1.example.com and pkdc2.example.com:sparse_zone

---

Note –

Kerberos is hosted in the global zone on pkdc1.example.com and in the non-global zone “sparse_zone” on pkdc2.example.com.

---

Cluster logical hostname

kdc-1.example.com

Resource group

krb-rg (for all of the resources)

Resources

kdc-1 (logical hostname) and krb-rs (Kerberos application resource)

1. Register the Kerberos resource type.

   # clresourcetype register SUNW.krb5

2. Create the resource group to contain all of the resources.

   # clresourcegroup create -n pkdc1.example.com, pkdc2.example.com:sparse_zone krb-rg

3. Add the logical hostname resource to the resource group.

   # clreslogicalhostname create -g krb-rg -h kdc-1 kdc-1

4. Add a Kerberos application resource to the resource group.

   # clresource create -g krb-rg -t SUNW.krb5 krb-rs

5. Bring the failover resource group online.

   # clresourcegroup online -M krb-rg

How to Configure the HAStoragePlus Resource Type

This procedure describes how to configures the HAStoragePlus resource type. This resource type synchronizes actions between HAStorage and Sun Cluster HA for Kerberos and enables you to use a highly available local file system. It is, however, recommended that you use a global file system rather than using HAStoragePlus because Sun Cluster HA for Kerberos is not disk-intensive in most environments.

See Relationship Between Resource Groups and Device Groups in Sun Cluster Data Services Planning and Administration Guide for Solaris OS for background information.

This procedure uses the following configuration parameters:

• Cluster physical node names = pkdc1.example.com and pkdc2.example.com:sparse_zone

• Cluster logical hostname = kdc-1.example.com

• Resource group = krb-rg

• Kerberos application resource = krb-rs

• HAStoragePlus resource = krb-hasp-rs

• Logical hostname resource = kdc-1

• Device group associated with the file system:/global/dg1

The /global/dg1 file system contains the krb-db and krb-conf directories which have symbolic links that point to /var/krb5 and /etc/krb5 respectively.

1. Register the Kerberos resource type.

   # clresourcetype register SUNW.krb5

2. Create a resource group.

   # clresourcegroup create -n pkdc1.example.com, pkdc2.example.com:sparse_zone krb-rg

3. Add the logical hostname resource to the resource group.

   # clreslogicalhostname create -g krb-rg -h kdc-1

4. Add the Kerberos application resource to the resource group.

   # clresource create -g krb-rg -t SUNW.krb5 krb-rs

5. Register the HAStoragePlus resource type

   # clresourcetype register SUNW.HAStoragePlus

6. Add the HAStoragePlus resource to the resource group.

   # clresource create -g krb-rg -t SUNW.HAStoragePlus \ -p FilesystemMounPoints=/global/dg1 \ -p AffinityOn=TRUE krb-hasp-rs

7. Bring the failover resource group online.

   # clresourcegroup online -M krb-rg