OK, but we need to do this using IPA or (as IPA does some things
different it seems).

Anyone testing this perhaps ? (/me is multitasking atm)

2015-03-31 20:22 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>:
> Brendan Kearney wrote:
>> On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote:
>>> On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote:
>>>> But IPA is more complex and some operations will be performed directly
>>>> against the specific server name, so you need to keep 2 sets of keys
>>>> (one for the server name and one for the load balancer name), but that
>>>> does not work right now.
>>>
>>> One experiment that can be done is to remove all "per-server" HTTP
>>> services for the IPA server, and instead add their name as aliases on
>>> the common load-balancer name.
>>>
>>> This would mean that all IPA servers would have just one key in their
>>> HTTP keytab, but the KDC would release tickets readable by that key for
>>> any name the clients may ask for.
>>>
>>> It is a bit tricky, every time you build a replica you want to
>>> load-balance you'll have to go back and remove the service and switch
>>> keytabs, but it may be an option. Of course if you brick IPA then you
>>> get to keep the pieces :-)
>>>
>>> Simo.
>>>
>>
>> careful there, as kerberos balks at CNAME records.  i think you need to
>> use A records.  i ran into a couple odd issues and decided to only use
>> A/PTR records for my stuff and never went "exploring" for
>> options/alternatives.
>>
>
> Not DNS aliases, Kerberos principal alises.
>
> rob
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to