On Tue, 2012-08-07 at 14:56 -0500, KodaK wrote:
I suspect I'm SOL on this one, but I'd like confirmation.
We have two servers in an HA cluster:
source:
sla710ph1.unix.magellanhealth.com
target:
slahat01.unix.magellanhealth.com
and a service name of:
sla710ph.unix.magellanhealth.com
The service name will float between the HA source and target.
The DBAs tell me that in order for Oracle to work, the hostname has to
return the service name.
There's absolutely no way to do this and remain kerberized, right? I
can't have two servers (with two different IP addresses) be the same
in IPA, right?
Not sure what 'source' and 'target' means, I guess they are the names of
2 peers in an active/passive HA solution ?
There are ways to deal with that.
A simple way is to share the same keytab using the common name for the
fqdn part of the service (means you have to copy and keep the keytab in
sync whenever you reconfigure it).
Of course the service must be able to be configured to pass a specific
name (not use the hostname) or, even better not specify *any* name, and
let gssapi check if any key is able to decrypt the incoming ticket
ignoring the service name entirely.
Other ways entail using a CNAME for the common name and have DNS
switch it from one to the other 'hard' name. In that case clients will
resolve the CNAME and then acquire a ticket for the correct target host.
however name caching and TTL issue may make failing over this way less
desirable.
The CNAME trick works better for load balancing (using DNS round robin)
in active/active solutions.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
