Configure the Key Distribution Center (KDC) server that will be used by the cluster nodes.
Refer to Solaris Kerberos/SEAM (Sun Enterprise Authentication Mechanism) documentation for details.
Set up the time synchronization.
The KDC server must be time synchronized with the cluster nodes as well as any clients that will be using the Sun Cluster HA for NFS services from the cluster. The Network Time Protocol (NTP) method performs time corrections with greater granularity than other methods, and therefore the time synchronization is more reliable. To benefit from this greater reliability, use NTP for the time synchronization.
Verify the DNS client configuration.
The DNS client configuration must be complete and working on all cluster nodes as well as on any NFS clients that will be using secure NFS services from the cluster. Use resolv.conf(4) to verify the DNS client configuration.
The DNS domain name must be made known to the Kerberos configuration by keeping a mapping in the domain_realm section of krb5.conf(4) file.
The following example shows a mapping of DNS domain name mydept.company.com to Kerberos realm ACME.COM.
[domain_realm] .mydept.company.com = ACME.COM
Ensure that the Master KDC server is up when the Kerberos client software is configured on the cluster nodes.
Ensure that the same configuration file and the same service key table file are available to all cluster nodes.
The /etc/krb5/krb5.conf file must be configured the same on all the cluster nodes. In addition, the default Kerberos keytab file (service key table), /etc/krb5/krb5.keytab, must be configured the same on all the cluster nodes. Consistent configuration can be achieved by copying the files to all cluster nodes. Alternately, you can keep a single copy of each file on a global file system and install symbolic links to /etc/krb5/krb5.conf and /etc/krb5/krb5.keytab on all cluster nodes.
You can also use a failover file system to make files available to all cluster nodes. However, a failover file system is visible on only one node at a time. Therefore, if Sun Cluster HA for NFS is being used in different resource groups, potentially mastered on different nodes, the files are not visible to all cluster nodes. In addition, this configuration complicates Kerberos client administrative tasks.
Ensure that all Kerberos-related entries in the file /etc/nfssec.conf are uncommented.
On all cluster nodes, as well as on any NFS clients that are configured to use secure NFS services from the cluster, all Kerberos-related entries in the file /etc/nfssec.conf must be uncommented. See nfssec.conf(4).