On Tue, 2012-08-07 at 14:56 -0500, KodaK wrote: > I suspect I'm SOL on this one, but I'd like confirmation. > > We have two servers in an HA cluster: > > source: > > sla710ph1.unix.magellanhealth.com > > target: > > slahat01.unix.magellanhealth.com > > and a service name of: > > sla710ph.unix.magellanhealth.com > > The service name will float between the HA source and target. > > The DBAs tell me that in order for Oracle to work, the hostname has to > return the service name. > > There's absolutely no way to do this and remain kerberized, right? I > can't have two servers (with two different IP addresses) be "the same" > in IPA, right?
Not sure what 'source' and 'target' means, I guess they are the names of 2 peers in an active/passive HA solution ? There are ways to deal with that. A simple way is to share the same keytab using the "common" name for the fqdn part of the service (means you have to copy and keep the keytab in sync whenever you reconfigure it). Of course the service must be able to be configured to pass a specific name (not use the hostname) or, even better not specify *any* name, and let gssapi check if any key is able to decrypt the incoming ticket ignoring the service name entirely. Other ways entail using a CNAME for the "common" name and have DNS switch it from one to the other 'hard' name. In that case clients will resolve the CNAME and then acquire a ticket for the correct target host. however name caching and TTL issue may make failing over this way less desirable. The CNAME trick works better for load balancing (using DNS round robin) in active/active solutions. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users