Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2048 Configure Centrify DirectControl for cluster environment

Centrify DirectControl ,  

12 April,16 at 11:02 AM

Applies to: All version of Centrify DirectControl agent on all platforms.

Questions:
Nowadays cluster configuration become more popular in enterprise environment. Does Centrify Suite support cluster environment? How can I configure it?

Answer:
Yes, Centrify DirectControl supports a cluster environment. We need to manually perform some extra steps in order to make the DirectControl agents work in a cluster. Here is an example of setting a DirectControl agent to work on a cluster web server.

Environment information:
Web Server: web.test.lab
Node of cluster: node1.test.lab, node2.test.lab

Assumption:
Each node of cluster already joined to domain as usual.
  1. We need to add the necessary SPN to the service account web.test.lab then use adkeytab to adopt it (to get keytab file), and merge it into node1.test.lab  and node2.test.lab keytab . (The example in this KB is showing how to config with an Apache web server).
  2. There are two ways to add SPN into cluster service account. Please pick one:
    1. ​​Ask AD administrator to add the following SPN into service account web: 
Bring up ADSIedit -> Locate the target computer object -> Right-click and select Properties.
Search the attribute: servicePrincipalName
Add following value in it:
http/web 
http/web.test.lab 
host/web 
host/web.test.lab 
  1. Perform the following adkeytab command on Linux: 
on node1.test.lab , login as root, 
Run: adkeytab -a -P http/web -P http/web.test.lab -P host/web -P host/web.test.lab <authorzied ad user> web 
  1. Creating keytab file for the service account:
Log on node1.test.lab as root 
Run: adkeytab -A -u <authorzied ad user> -K /etc/krb5/web.keytab web
You can verify the keytab by:
/usr/share/centrifydc/kerberos/bin/klist -kt /etc/krb5/web.keytab  (you should see 4 SPN created in step1 are listed). 
  1. Merge the keytab file to node of cluster:
Log on node1.test.lab, as root, run following commands:
/usr/bin/ktutil 
(in subcommands, do) 
rkt /etc/krb5/krb5.keytab 
rkt /etc/krb5/web.keytab 
wkt /etc/krb5/krb5.keytab.new 
  1. Run: /usr/share/centrifydc/kerberos/bin/klist -kt /etc/krb5/krb5.keytab.new -> you should now see SPN for node1.test.lab as well as web in the list. 
  2. Replace the keytab file to the node:
pd start htt
start adclient 
mv krb5.keytab.new krb5.keytab 
mv krb5.keytab krb5.keytab.save (save the original keytab for back up purpose) 
cd /etc/krb5 
stop adclient 
stop httpd 
  1. Copy service account keytab - web.keytab to node2.test.lab. 
  2. Repeat step 4-6 on node2.test.lab 
  3. Test with browser on windows. 
Notes:
Changing computer password of service account will cause authentication failure. In this case, please perform step 3-6 to update keytab file.
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.