Managing Serviceguard 14th Edition, June 2007
Building an HA Cluster Configuration
Preparing Your Systems
Chapter 5 203
NOTE Configure the name service switch to consult the /etc/hosts file before
other services such as DNS, NIS, or LDAP. See “Defining Name
Resolution Services” on page 209 for instructions.
Username Validation
Serviceguard relies on the identd daemon (usually started by inetd
from /etc/inetd.conf) to verify the username of the incoming network
connection. If the Serviceguard daemon is unable to connect to the
identd daemon, permission will be denied.
For Serviceguard to consider a remote user as the root user on that
remote node, identd must return the username “root”. Because identd
returns the username for the first match on UID 0, this means the entry
for the root user in /etc/passwd on each node must come before any
other entry with a UID of 0.
If you need to disable identd. You can configure Serviceguard not to
use identd.
CAUTION This is not recommended. Consult the white paper Securing
Serviceguard at http://docs.hp.com -> High Availability ->
Serviceguard -> White Papers for more information.
If you must disable identd, you can do so by adding the -i option to the
tcp hacl-cfg and hacl-probe commands in /etc/inetd.conf.
For example:
1. Change the cmclconfd entry in /etc/inetd.conf to:
hacl-cfg stream tcp nowait root /usr/lbin/cmclconfd cmclconfd -c -i
2. Change the cmomd entry in /etc/inetd.conf to:
hacl-probe stream tcp nowait root /opt/cmom/lbin/cmomd /opt/cmom/lbin/cmomd -i \
-f /var/opt/cmom/cmomd.log -r /var/opt/cmom
3. Restart inetd:
/etc/init.d/inetd restart