OK, but we need to do this using IPA or (as IPA does some things different it seems).
Anyone testing this perhaps ? (/me is multitasking atm) 2015-03-31 20:22 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>: > Brendan Kearney wrote: >> On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote: >>> On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote: >>>> But IPA is more complex and some operations will be performed directly >>>> against the specific server name, so you need to keep 2 sets of keys >>>> (one for the server name and one for the load balancer name), but that >>>> does not work right now. >>> >>> One experiment that can be done is to remove all "per-server" HTTP >>> services for the IPA server, and instead add their name as aliases on >>> the common load-balancer name. >>> >>> This would mean that all IPA servers would have just one key in their >>> HTTP keytab, but the KDC would release tickets readable by that key for >>> any name the clients may ask for. >>> >>> It is a bit tricky, every time you build a replica you want to >>> load-balance you'll have to go back and remove the service and switch >>> keytabs, but it may be an option. Of course if you brick IPA then you >>> get to keep the pieces :-) >>> >>> Simo. >>> >> >> careful there, as kerberos balks at CNAME records. i think you need to >> use A records. i ran into a couple odd issues and decided to only use >> A/PTR records for my stuff and never went "exploring" for >> options/alternatives. >> > > Not DNS aliases, Kerberos principal alises. > > rob > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project