Nowadays cluster configuration become more popular in enterprise environment. Does Centrify Suite support cluster environment? How can I configure it?
Yes, Centrify DirectControl supports a cluster environment. We need to manually perform some extra steps in order to make the DirectControl agents work in a cluster. Here is an example of setting a DirectControl agent to work on a cluster web server.
Web Server: web.test.lab
Node of cluster: node1.test.lab, node2.test.lab
Each node of cluster already joined to domain as usual.
- We need to add the necessary SPN to the service account web.test.lab then use adkeytab to adopt it (to get keytab file), and merge it into node1.test.lab and node2.test.lab keytab . (The example in this KB is showing how to config with an Apache web server).
- Ask an AD administrator to add the following SPN into service account web:
Bring up ADSIedit -> Locate the target computer object -> Right-click and select Properties.
Search the attribute: servicePrincipalName
Add following value in it:
- Creating keytab file for the service account:
Log on node1.test.lab as root
Run: adkeytab -A -u <authorzied ad user> -K /etc/krb5/web.keytab web
You can verify the keytab by:
/usr/share/centrifydc/kerberos/bin/klist -kt /etc/krb5/web.keytab (you should see 4 SPN created in step1 are listed).
- Merge the keytab file to node of cluster:
Log on node1.test.lab, as root, run following commands:
(in subcommands, do)
- Run: /usr/share/centrifydc/kerberos/bin/klist -kt /etc/krb5/krb5.keytab.new -> you should now see SPN for node1.test.lab as well as web in the list.
- Replace the keytab file to the node:
mv krb5.keytab.new krb5.keytab
mv krb5.keytab krb5.keytab.save (save the original keytab for back up purpose)
- Copy service account keytab - web.keytab to node2.test.lab.
- Repeat step 4-6 on node2.test.lab
- Test with browser on windows.
Changing computer password of service account will cause authentication failure. In this case, please perform step 3-6 to update keytab file.