Sun Cluster Data Service for Kerberos Guide for Solaris OS

Configuring Sun Cluster HA for Kerberos in Non-Global Zones

You can configure the Sun Cluster HA for Kerberos service within a non-global zone on Solaris 10 and later versions of the operating system. Given that all the realm's keys are stored in the KDC's principal database, it is helpful to compartmentalize access to system resources, such as file systems, into a non-global zone.

Note –

Sun cluster software allows you to create different zones on the same node in which to deploy the Kerberos failover resources, but to provide high availability, create the zones deploying Kerberos failover resources on different nodes.

Note –

Kerberos data service is supported on a sparse root non-global zone.

How to Configure Sun Cluster HA for Kerberos in Non-Global Zones

Perform this procedure only if you want to configure the Sun Cluster HA for Kerberos service within a non-global zone.

Note –

Configuring the Sun Cluster HA for Kerberos service in a global zone is similar to Installing Kerberos on a node.

If you do not want to configure the Sun Cluster HA for Kerberos service within a non-global zone, do not perform this procedure. Instead, go to Installing Kerberos.

This procedure is written for use on a global file system. In this procedure, the following parameters are used:

Global zone: global
Non-global zone: sparse_zone
Global file system: /global/fs

Create the non-global zone directory and mount it from the global zone. Perform this on each of the cluster nodes.

sparse_zone# mkdir -p /global/fs

global# zonecfg -z sparse_zone

	zonecfg:sparse_zone> add fs
	zonecfg:sparse_zone:fs> set dir=/global/fs
	zonecfg:sparse_zone:fs> set special=/global/fs
	zonecfg:sparse_zone:fs> set type=lofs
	zonecfg:sparse_zone:fs> end
	zonecfg:sparse_zone> verify
	zonecfg:sparse_zone> commit
	zonecfg:sparse_zone> exit

global# zoneadm -z sparse_zone reboot

Where /global/fs is a global file system that has already been configured in the global zone.

Note –

The non-global zone's path must be identical to the path of the global zone.

Note –

To simplify cluster administration, use the same non-global zone name on each node, where resource groups are to be brought online in the non-global zone.

Next Steps

When you have configured the file system on all the non-global zones, go to How to Install Kerberos. Perform the steps in that procedure in the non-global rather than the global zone.