Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2188: Cluster Configuration with Centrify

Centrify DirectControl ,  

12 April,16 at 11:08 AM

Applies to: Centrify DirectControl version 4.2.x and above

Question:
Two HA (high availability) servers will be configured as cluster.  Assuming the two servers are called "
nodeA" and "nodeB". 

nodeA
Originally the computer name was:
node1hub
After Centrify was installed and joined to AD, the computer account was renamed to : nodeA

 
All AD users are able to login.
When the computer was joined to AD, AD only knows this computer as 'node1hub'.  Which is fine.  If this is the case, please be sure 'node1hub' is the alias for BOTH nodes (nodeA and nodeB).

nodeB
Centrify package was installed but not joined to AD.
The computer name is nodeB and is cloned from nodeA

Both nodes has service IP of 10.30.0.3.  This IP floats between the active nodes, nodeA and nodeB.

adinfo output for both nodes look like this:

# adinfo
Local host name:      nodeA
Joined to domain:     demo.com
Joined as:                node1hub.demo.com
Pre-win2K name:      node1hub
Current DC:              ppai2-win2k8.demo.com
Preferred site:           Default-First-Site-Name
Zone:                       demo.com/centrify/aix
Last password set:    2013-01-10 14:12:17 EST
CentrifyDC mode:      connected

# adinfo
Local host name:      nodeB
Joined to domain:     demo.org
Joined as:                node1hub.demo.com
Pre-win2K name:      node1hub
Current DC:              ppai2-win2k8.demo.com
Preferred site:           Default-First-Site-Name
Zone:                       demo.com/centrify/aix
CentrifyDC mode:      disconnected


/etc/hosts
### PowerHA Entries
10.30.0.3 node1hub.demo.org node1hub
10.30.0.40 nodeA.demo.org nodeA
10.30.0.41 nodeB.demo.org nodeB

 

Answer:

LOGIN to server 'nodeA' as root and run the following:
======================================
1. Use the 'adkeytab' command to add an spn to both nodeA and nodeB.  Before running the adkeytab command, check for the current Service Principal Names by executing:

# adinfo --diag
Look for the line 'Service Principal Name'

Example:
# adinfo --diag
Computer Account Diagnostics
Joined as: demo
Key Version: 3
Service Principal Names:   http/nodeA.demo.com
                                       http/nodeA
                                       host/nodeA.demo.com
                                       host/nodeA
                                       ftp/nodeA.demo.com
                                       ftp/nodeA
                                       cifs/nodeA.demo.com
                                       cifs/nodeA


2. Run the following:

# adkeytab --addspn --principal host/nodeA --principal host/nodeA.demo.com -u <admin> -d <domainname>
# adkeytab --addspn --principal host/nodeB --principal host/nodeB.demo.com -u <admin> -d <domainname>


To verify if the spn for both aliases are created, run:
# adinfo --diag

3. To list all the SPNs that now exist in keytab: 
# /usr/share/centrifydc/kerberos/bin/klist -kt

There should be two entries for both nodes:


4. Tar and zip the kerberos keytab table:
# cd /
# tar -cvfz cluster.tgz /etc/krb5.keytab /var/centrifydc/kset.*


5. Copy cluster.tgz to nodeB


LOGIN to server "nodeB" as root and run the following:
========================================
1. Unzip and untar cluster.tgz

2. Start adclient:  
# /usr/share/centrifydc/bin/centrifydc start or restart

3. Verify that adinfo shows that adclient is connecting to AD
# adinfo


ON BOTH servers 'nodeA' and 'nodeB' do the following:
-------------------------------------------------------
A Turn OFF machine password change by editing /etc/centrifydc/centrifydc.conf:

adclient.krb5.password.change.interval: 0

Save the file and then run:  
# adreload

B)  Verify that both of the nodes are sharing the same identity and that the keytab is in sync. 

Match the kvno (key version number) for kerberos cache on both nodes, it should match:

/usr/share/centrifydc/kerberos/bin/klist -kt | grep host | sort

If for example the kvno number on nodeA is listed as 63 (see below), then nodeB should also list as 63:
snippet from nodeA
.....
....
63 02/09/13 18:01:59 host/nodeA.demo.com@DEMO.COM
63 02/09/13 18:01:59 host/nodeA.demo.com@DEMO.COM
.....
....
63 02/09/13 18:01:59 host/nodeB.demo.com@DEMO.COM
63 02/09/13 18:01:59 host/nodeB.demo.com@DEMO.COM
63 02/09/13 18:01:59 host/nodeB.demo.com@DEMO.COM
....
....


snippet from nodeB
.....
.....
63 02/09/13 18:01:59 host/nodeA.demo.com@DEMO.COM
63 02/09/13 18:01:59 host/nodeA.demo.com@DEMO.COM
.....
....
63 02/09/13 18:01:59 host/nodeB.demo.com@DEMO.COM
63 02/09/13 18:01:59 host/nodeB.demo.com@DEMO.COM
63 02/09/13 18:01:59 host/nodeB.demo.com@DEMO.COM


Note:
IF the kvno does NOT match (in sync) on both nodes - please do NOT attempt to do 'adleave' or 'adjoin'.  Go back to nodeA, tar up the keytab table and copy the "cluster.tgz" file over to nodeB

On nodeA
# cd /
# tar -cvfz cluster.tgz /etc/krb5.keytab /var/centrifydc/kset.*


C)  Test login as an ADuser to both nodes

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.