OK, to keep this updated. With some Kerberos Guru's we have looked how IPA behaves when you change all DNS names, PTR's and A's to the LB-er and all time you get a ticket from the server service principal itself.
With kvno you can get a ticket for the loadbalancer but when you run your "failing script" you also see a ticket coming back from the ipa server itself. I have seen some mailings from last year too with no solution... it seems to be a showstopper on that part :( 2015-04-01 20:41 GMT+02:00 Matt . <[email protected]>: > Hi, > > I'm not gicing up on this, so I'm testing. > > I'm unsure at the moment about the keytab. The keytab is normally for > the user that needs to be able to do "stuff", but in this case we need > one for the loadbalancer name or the client .... maybe combined ? > > I lost that overvieuw... would be nice to get some advice here. > > Thanks! > > Matt > > 2015-03-31 21:23 GMT+02:00 Matt . <[email protected]>: >> OK, but we need to do this using IPA or (as IPA does some things >> different it seems). >> >> Anyone testing this perhaps ? (/me is multitasking atm) >> >> 2015-03-31 20:22 GMT+02:00 Rob Crittenden <[email protected]>: >>> Brendan Kearney wrote: >>>> On Tue, 2015-03-31 at 13:54 -0400, Simo Sorce wrote: >>>>> On Tue, 2015-03-31 at 13:50 -0400, Simo Sorce wrote: >>>>>> But IPA is more complex and some operations will be performed directly >>>>>> against the specific server name, so you need to keep 2 sets of keys >>>>>> (one for the server name and one for the load balancer name), but that >>>>>> does not work right now. >>>>> >>>>> One experiment that can be done is to remove all "per-server" HTTP >>>>> services for the IPA server, and instead add their name as aliases on >>>>> the common load-balancer name. >>>>> >>>>> This would mean that all IPA servers would have just one key in their >>>>> HTTP keytab, but the KDC would release tickets readable by that key for >>>>> any name the clients may ask for. >>>>> >>>>> It is a bit tricky, every time you build a replica you want to >>>>> load-balance you'll have to go back and remove the service and switch >>>>> keytabs, but it may be an option. Of course if you brick IPA then you >>>>> get to keep the pieces :-) >>>>> >>>>> Simo. >>>>> >>>> >>>> careful there, as kerberos balks at CNAME records. i think you need to >>>> use A records. i ran into a couple odd issues and decided to only use >>>> A/PTR records for my stuff and never went "exploring" for >>>> options/alternatives. >>>> >>> >>> Not DNS aliases, Kerberos principal alises. >>> >>> rob >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
