Manualshelf

HP CIFS Server and Kerberos

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
101102103104105106107108109110
108
Chapter 9 Kerberos High Availability Integration
HP CIFS Server is commonly configured as a node in a highly available HP-UX ServiceGuard cluster.
For deployments that are running with “security = ads”, that usually means that users are being
authenticated using Kerberos to a Windows Key Distribution Center (KDC) domain controller. By
default, the ServiceGuard configuration has no influence upon the Kerberos authentication
mechanism. In fact, since the HP-UX host is not active in the accessing client TGS ticket acquisition,
the Kerberos authentication mechanism is especially flexible for HA failover.
However, for HP-UX application co-existence – as described in Chapter 5 – the use of the
/etc/krb5.keytab file is required. Since this is a static file that holds Kerberos keys to be used by the
local HP-UX and/or CIFS Server, these specific keys must be available all nodes in a failover
environment. When the smb.conf file has “use Kerberos keytab = yes”, then the /etc/krb5.keytab file
must be modified to allow the failover package to run on any adoptive node in the cluster. This holds
true for HP-UX logins as well as HP CIFS Server client logins.
The HP CIFS Server Administration Guide devotes an entire chapter to “Configuring HA HP CIFS.” The
recommended configuration is to locate all of the HP CIFS Server configuration files on the shared
logical volume. This presents a problem with HP-UX system configuration files that are system-global
in usage, and for /etc/krb5.keytab in particular.
For CIFS usage with Kerberos, each system that is joined to a domain as a member server has a
Kerberos secret key that is resident on the KDC and on the HP-UX member server. By default the
member server holds this key in the /var/opt/samba/private/secrets.tdb tiny database file. With “use
Kerberos keytab = yes” in smb.conf, then the secret keys are not placed in secrets.tdb and instead
are associated with service principal keys in /etc/krb5.keytab. This configuration migrates the
authentication key from a CIFA/Samba-only repository to an HP-UX system repository.
NOTE: Configuring HP CIFS Server for HA when “security = ads” and the default Kerberos
configuration (utilizing secrets.tdb) requires no special HA configuration tasks. Simply follow the HP
CIFS Server Admin Guide HA configuration instructions.
For HP-UX system usage, the Kerberos secret keys are always kept in krb5.keytab. Therefore, moving
an /etc/krb5.keytab file with the package on the shared volume is not possible, because there is one
file for each system, or ServiceGuard node. The alternative is to merge the krb5.keytab files of all the
systems (nodes) in the cluster together, and distribute them to all of the nodes. This way, the service
principals for all system logons (cifs or host) are always available during failover.
In addition, the CIFS Server requires the member server SID that resides in the secrets.tdb file for
user authentication. Even though the smb.conf may be configured for “use Kerberos keytab = yes”,
the secrets.tdb file must be located on the shared volume and migrated with the package for failover.
This will not require any additional effort, because /var/opt/samba/private (the location of secrets.tdb)
should always be migrated anyway.