To perform this procedure, you need the following information about your configuration.
The name of the resource type for Sun Cluster HA for Kerberos. This name is SUNW.krb5.
The names of the cluster nodes and the non-global zones on the nodes that master the data service.
The network resource that clients use to access the data service. You normally set up this IP address when you install the cluster. See the Sun Cluster Concepts Guide for Solaris OS document for details on network resources.
Become superuser on a cluster node.
Register the resource type for the data service.
# clresourcetype register SUNW.krb5 |
Create a resource group for the network and Kerberos resources to use.
# clresourcegroup create [-n node[,...]] resource-group |
Specifies an optional comma-separated list of zones that can master this resource group. Each entry in this list has the format node. Where node is the node name and address and zone specifies the name of a non-global Solaris zone. To specify the global zone, or to specify a node without local zones, specify only node. These are the nodes or zones on which the data service can run. The order here determines the order in which the nodes or zones are considered as primary during failover. If all of the cluster nodes or zones are potential masters, you do not need to use the -n option.
This list is optional. If you omit this list, the global zone of each cluster node can master the resource group.
Verify that all of the network resources that are to be used have been added to your name service database.
You should have performed this verification during the Sun Cluster installation. See the Chapter 1, Planning the Sun Cluster Configuration, in Sun Cluster Software Installation Guide for Solaris OS for details.
To avoid any failures because of name service lookup, verify that all of the network resources are present in the server's and client's /etc/inet/hosts file. Configure name service mapping in the /etc/nsswitch.conf file on the servers to first check the local files before trying to access NIS or NIS+.
Add a logical hostname to a resource group.
# clreslogicalhostname create -g resource-group \ -h logical-hostname,[logical-hostname] \ [-N netif@node[,...]] lhresource |
Specifies the name of the resource group. This name can be your choice but must be unique for a resource group within the cluster.
Specifies a comma-separated list of network resources (logical hostname or shared address).
Specifies an optional, comma-separated list that identifies the IP Networking Multipathing groups that are on each node. netif can be given as an IP Networking Multipathing group name, such as sc_ipmp0. The node can be identified by the node name or node ID, such as sc_ipmp0@1 or sc_ipmp@phys-schost-1. If you do not specify -N, the clreslogicalhostname command attempts to set the NetIfList property for you based on available IPMP groups or public adapters and the subnet associated with the HostnameList property.
Specifies the logical hostname resource to be created in the associated resource group.
If you require a fully qualified hostname, you must specify the fully qualified name with the -h option and you cannot use the fully qualified form in the resource name.
Sun Cluster does not currently support the use of adapter names for netif.
Add a Kerberos application resource to the resource group.
# clresource create -g resource-group -t SUNW.krb5 \ [-p Network_resources_used=network-resource, ...] \ [-p Port_list=port-number/protocol] resource |
Specifies a comma-separated list of network resources (logical hostnames or shared addresses) that Kerberos will use. If you do not specify this property, the value defaults to all of the network resources that are contained in the resource group.
Specifies a port number and the protocol to be used. If you do not specify this property, the value defaults to 88/tcp,749/tcp,88/udp.
Specifies the name of the resource type to which this resource belongs. This entry is required.
Specifies the name of the resource to be associated with the resource type SUNW.krb5.
The resource is created in the enabled state.
Bring the resource group online:
# clresourcegroup online -M resource-group |
The following example shows how to register Sun Cluster HA for Kerberos on a two-node cluster. At the end of this example, the clresourcegroup command starts Sun Cluster HA for Kerberos.
This example uses the following configuration parameters:
pkdc1.example.com and pkdc2.example.com:sparse_zone
Kerberos is hosted in the global zone on pkdc1.example.com and in the non-global zone “sparse_zone” on pkdc2.example.com.
kdc-1.example.com
krb-rg (for all of the resources)
kdc-1 (logical hostname) and krb-rs (Kerberos application resource)
Register the Kerberos resource type.
# clresourcetype register SUNW.krb5 |
Create the resource group to contain all of the resources.
# clresourcegroup create -n pkdc1.example.com, pkdc2.example.com:sparse_zone krb-rg |
Add the logical hostname resource to the resource group.
# clreslogicalhostname create -g krb-rg -h kdc-1 kdc-1 |
Add a Kerberos application resource to the resource group.
# clresource create -g krb-rg -t SUNW.krb5 krb-rs |
Bring the failover resource group online.
# clresourcegroup online -M krb-rg |