Novell Cluster Services
Novell GroupWise 2014 R2
There are really 2 things that you need to worry about when enabling Kerberos in a cluster.
First you need the Kerberos service principal bound to the logical hostname of the service and not the hostname of the cluster node. To achieve this, you cannot use the "net ads keytab add GroupWise" command that is documented in the simple configuration steps. Bellow is a description how you can use to create the service principal names for the logical hostname.
Hard Way (step1) â Create user and SPN from windows:
â˘Create a new user on the windows domain to represent the GroupWise POA and assign a password.
â˘Use the setspn command line to create SPNS:
â˘setspn âS âU poa_prv1 groupwise/prv1.mycompany.com
â˘setspn âS âU poa_prv1 groupwise/vm12.lab.mycompany.com
â˘setspn âS âU poa_prv1 groupwise/ngwnameserver.mycompany.com
â˘You can verify the SPNâs by looking at the properties of the user on the attribute editor tab.
â˘You should see a multi-valued property called servicePrincipalName
Hard Way (step2) â Initialize Kerberos ticket cache on Linux:
â˘Run the following command to login to the windows domain and get a Kerberos ticket (as non-root user)
â˘Load the service principal tickets into the cache by referencing them with the kvno command:
â˘Verify the tickets are cached by running:
Hard Way (step3) â Write the keystore:
â˘Add the keys into the keytab one at a time:
â˘add_entry âpassword âp groupwise/prv1.mycompany.com@MYCOMPANY.COM âk 2 âe arcfour-hmac-md5
â˘The â2â is replaced with the output of the kvno command in the previous step
â˘Replace arcfour-hmac-md5 with other encryption algorithms as needed.
â˘Write the keytab
â˘Copy the keytab into place
â˘sudo cp /tmp/keytab /etc/krb5.keytab
â˘Add original host name entries back to krb5.keytab file:
â˘ net ads keytab add groupwise
â˘Verify with klist -k
The second issue is getting the keytab file to follow the post office database as it moves from one node to another. To accomplish this we added a new POA startup switch which specifies the location of the keytab file. This is the "--keytab" switch.