1. Installing and Configuring Oracle Solaris Cluster for Kerberos
Oracle Solaris Cluster HA for Kerberos
Installing and Configuring Oracle Solaris Cluster HA for Kerberos
Configuring Oracle Solaris Cluster HA for Kerberos in Non-Global Zones
How to Configure Oracle Solaris Cluster HA for Kerberos in Non-Global Zones
Installing the Oracle Solaris Cluster HA for Kerberos Packages
How to Install the Oracle Solaris Cluster HA for Kerberos Packages
Registering and Configuring Oracle Solaris Cluster HA for Kerberos
How to Register and Configure Oracle Solaris Cluster HA for Kerberos
How to Configure the HAStoragePlus Resource Type
Tuning the Oracle Solaris Cluster HA for Kerberos Fault Monitor
Operations by the Fault Monitor During a Probe
Verifying Oracle Solaris Cluster HA for Kerberos Installation and Configuration
How to Verify Oracle Solaris Cluster HA for Kerberos Installation and Configuration
This section describes the steps to install Kerberos and to enable Kerberos to run as Oracle Solaris Cluster HA for Kerberos.
Oracle Solaris Cluster HA for Kerberos uses the Kerberos server and mechanism libraries co-packaged with the Solaris 10 operating system or later versions of the operating system. See the krb5.conf(4) and kdc.conf(4) man pages for information on how to configure the Kerberos environment. The Oracle Solaris Cluster configuration for Kerberos differs from the Solaris configuration for Kerberos in the following ways:
The Kerberos principal and policy databases are located on the cluster file system, not on a local file system. How to Install Kerberos describes how to configure the server by using a global file system. However, the server can be configured with the HAStoragePlus file system if your environment is heavily loaded with write requests.
A relocatable IP address, not the name of a physical host, identifies the name of a Kerberos server.
In this procedure, the following parameters are used:
Realm name = EXAMPLE.COM
DNS domain name = example.com
Cluster physical node names = pkdc1.example.com and pkdc2.example.com
Cluster logical hostname = kdc-1.example.com
Select the logical hostname so that it corresponds to an IP address set up when you installed the Oracle Solaris Cluster software. See the Oracle Solaris Cluster Concepts Guide for details about logical hostnames.
When populating the hostnames in these configuration files, ensure that they refer to the host's logical name, not the physical name.
Note - This detail ensures that applications running in the same zone as the logical hostname are configured to the corresponding IP addresses.
Here is an example of configuration files with the logical hostnames:
pkdc1# cat /etc/krb5/krb5.conf
[libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = kdc-1.example.com admin_server = kdc-1.example.com } [domain_realm] .example.com = EXAMPLE.COM [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log kdc_rotate = { period = 1d versions = 10 } [appdefaults] kinit = { renewable = true forwardable = true }
pkdc1# cat /etc/krb5/kdc.conf
[kdcdefaults] kdc_ports = 88,750 [realms] ACME.COM = { profile = /etc/krb5/krb5.conf database_name = /var/krb5/principal admin_keytab = /etc/krb5/kadm5.keytab acl_file = /etc/krb5/kadm5.acl kadmind_port = 749 max_life = 8h 0m 0s max_renewable_life = 7d 0h 0m 0s default_principal_flags = +preauth }
Make sure that you also have a valid /etc/resolv.conf file and /etc/nsswitch.conf file configured, for example:
pkdc1# cat /etc/resolv.conf
domain example.com
nameserver 1.2.3.4
nameserver 1.2.3.5
pkdc1# grep dns nsswitch.conf
hosts: files nis dns
ipnodes: files nis dns
pkdc1# kdb5_util create
Initializing database '/var/krb5/principal' for realm 'EXAMPLE.COM', master key name 'K/M@EXAMPLE.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password.
Enter KDC database master key:<Type the new master key password>
Re-enter KDC database master key:<Type the above new master key password>
sckrb5-probe/admin@EXAMPLE.COM i
Where:
Realm name chosen in Step 3
The privilege that enables queries to the database for the sckrb5-probe/admin principal
pkdc1# kadmin.local
Authenticating as principal host/admin@EXAMPLE.COM with password
kadmin.local: ank -randkey -allow_tgs_req kadmin/kdc-1.example.com
NOTICE: no policy specified for kadmin/kdc-1.example.com@EXAMPLE.COM; assigning "default" Principal "kadmin/kdc-1.example.com@EXAMPLE.COM" created.
kadmin.local: ank -randkey -allow_tgs_req +password_changing_service \ changepw/kdc-1.example.com
NOTICE: no policy specified for changepw/kdc-1.example.com@EXAMPLE.COM; assigning "default" Principal "changepw/kdc-1.example.com@EXAMPLE.COM" created. kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/kdc-1.example.com changepw/kdc-1.example.com Entry for principal kadmin/kdc-1.example.com with kvno 3, encryption type AES-+ 128 CTS mode with \ 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kadmin/kdc-1.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kadmin/kdc-1.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kadmin/kdc-1.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal changepw/kdc-1.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal changepw/kdc-1.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal changepw/kdc-1.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal changepw/kdc-1.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local: ank -randkey host/kdc-1.example.com
NOTICE: no policy specified for host/kdc-1.example.com@EXAMPLE.COM; assigning "default" Principal "host/kdc-1.example.com@EXAMPLE.COM" created. kadmin.local: ktadd host/kdc-1.example.com Entry for principal host/kdc-1.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 \ HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/kdc-1.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 \ added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/kdc-1.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab \ WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/kdc-1.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to \ keytab WRFILE:/etc/krb5/krb5.keytab.
Fully qualified logical hostname for the cluster
kadmin.local: ank -randkey kiprop/kdc-1.example.com
NOTICE: no policy specified for kiprop/kdc-1.example.com@EXAMPLE.COM; assigning "default" Principal "kiprop/kdc-1.example.com@EXAMPLE.COM" created. kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kiprop/kdc-1.example.com Entry for principal kiprop/kdc-1.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit \ SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kiprop/kdc-1.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 \ added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kiprop/kdc-1.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to \ keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kiprop/kdc-1.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added \ to keytab WRFILE:/etc/krb5/kadm5.keytab.
For example, move /etc/krb5 and /var/krb5 to a global file system, /global/fs/, as follows:
pkdc1# mv /etc/krb5 /global/fs/krb-conf
pkdc1# mv /var/krb5 /global/fs/krb-db
See the Oracle Solaris Cluster Software Installation Guide for information on setting up cluster file systems.
pkdc1# ln -s /global/fs/krb-conf /etc/krb5
pkdc1# ln -s /global/fs/krb-db /var/krb5
pkdc2# mv /etc/krb5 /etc/krb5.old
pkdc2# mv /var/krb5 /var/krb5.old
pkdc2# ln -s /global/fs/krb-conf /etc/krb5
pkdc2# ln -s /global/fs/krb-db /var/krb5