Hello Mark,
Thanks a lot for your info. On the AD I deleted all "old" entries , followed your suggestions and all worked as expected. I really thought to complex. THX again to point me in the right direction. Best Regards Martin Schreiber Mit freundlichen Grüßen Martin SCHREIBER ----------------------------------------------------------- Martin SCHREIBER TÜV AUSTRIA HOLDING AG Krugerstraße 16 1015 Wien/Österreich Tel.: +43 (0)1 514 07-6050 Fax: +43 (0)1 514 07-76030 E-Mail: [email protected] RSS-Feed: http://rss.tuv.at/news_de.xml http://www.tuv.at ----------------------------------------------------------- Sitz: Krugerstraße 16 1015 Wien/Österreich Vorsitzender des Aufsichtsrates: KR Dipl.-Ing. Johann MARIHART Vorstand: Dipl.-Ing. Dr. Hugo EBERHARDT (Vorsitzender), Mag. Christoph WENNINGER Firmenbuchgericht/ -nummer: Wien / FN 286107 x -----Ursprüngliche Nachricht----- Von: Mark Pröhl [mailto:[email protected]] Gesendet: Freitag, 21. Januar 2011 19:14 An: [email protected]; Schreiber Martin Betreff: Re: kerberos linux cluster authorization against AD Hello, create a service principal that contains the dns hostname of the virtual IP (the name associated with 10.10.11.149): HTTP/<fqdn of vip> use ktpass.exe to create a keytab for that principal copy that keytab to both nodes Regards, Mark Pröhl On 01/21/2011 09:05 AM, Schreiber Martin wrote: > Hello List ! > > Today I´m a liitle bit more detailed... > > First a scheme of our environment > > > > > > |----------------------------------------------------------> AD > virtual cluster | > |--------------------------|---| > ----------|--------- -------|--------- > | | | | > | | | | > | | | | > | node1 | | node2 | > ^------------------| |-----------------| > > > > virtual cluster ip = 10.10.11.149 > node1 ip = 10.10.11.147 > node2 ip = 10.10.11.148 > > > The cluster is realized with Suse Linux SLES 11 Sp1 and the LVS > toolset(ipvsadm, ldirecord) ; the cluster is actice/active with apache and > tomcat running on each physical node. It is planned to authenticate the > environment via mod_auth_kerb against Active Directory. As I explained in my > first mail , that works if I do that with one physical node only. I followed > the well known howtos and made kerberos tickets and keytabs which where > copied to the linux node. After configuring the apache clients all worked as > expected, the AD users could access the apache websites without any user and > passwords interactions. > > Trouble began with "kerberizing" the cluster itself. I createed keytabs for > both phisical nodes via ktpass utility and copied the keys to the nodes. A > kinit was successfull . But authrization was impossible , the logs showed me > error messages, because the request for webaccesss was directed to the > "virtual" cluster address , which is pretty ok and expected . Now my > question , how to "kerberize" the VIRTUAL CLUSTER IP ?? > > What did I overlook. Perhaps that approach is really impossible ? Is there > a workaround to make this happen ? > > > Best Regards Martin Schreiber > > > Mit freundlichen Grüßen > Martin SCHREIBER > > ________________________________ > Martin SCHREIBER > TÜV AUSTRIA HOLDING AG > Krugerstraße 16 > 1015 Wien/Österreich > Tel.: +43 (0)1 514 07-6050 > Fax: +43 (0)1 514 07-76030 > E-Mail: [email protected]<mailto:[email protected]> > RSS-Feed: http://rss.tuv.at/news_de.xml > http://www.tuv.at<http://www.tuv.at/> > ________________________________ > > Sitz: Krugerstraße 16 1015 Wien/Österreich Vorsitzender des > Aufsichtsrates: KR Dipl.-Ing. Johann MARIHART > Vorstand: Dipl.-Ing. Dr. Hugo EBERHARDT (Vorsitzender), Mag. Christoph > WENNINGER Firmenbuchgericht/ -nummer: Wien / FN 286107 x > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
