On Tue, 2012-08-07 at 14:56 -0500, KodaK wrote:
> I suspect I'm SOL on this one, but I'd like confirmation.
> We have two servers in an HA cluster:
> source:
> sla710ph1.unix.magellanhealth.com
> target:
> slahat01.unix.magellanhealth.com
> and a service name of:
> sla710ph.unix.magellanhealth.com
> The service name will float between the HA source and target.
> The DBAs tell me that in order for Oracle to work, the hostname has to
> return the service name.
> There's absolutely no way to do this and remain kerberized, right?  I
> can't have two servers (with two different IP addresses) be "the same"
> in IPA, right?

Not sure what 'source' and 'target' means, I guess they are the names of
2 peers in an active/passive HA solution ?

There are ways to deal with that.
A simple way is to share the same keytab using the "common" name for the
fqdn part of the service (means you have to copy and keep the keytab in
sync whenever you reconfigure it).
Of course the service must be able to be configured to pass a specific
name (not use the hostname) or, even better not specify *any* name, and
let gssapi check if any key is able to decrypt the incoming ticket
ignoring the service name entirely.

Other ways entail using a CNAME for the "common" name and have DNS
switch it from one to the other 'hard' name. In that case clients will
resolve the CNAME and then acquire a ticket for the correct target host.
however name caching and TTL issue may make failing over this way less

The CNAME trick works better for load balancing (using DNS round robin)
in active/active solutions.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to