<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi!</p>
<p>Just to share with you I applied the approach described in this
MIT Kerberos admin guide [1]. We used an alias (an "A" DNS record
with PTR (reverse DNS)) as the Service Principal for our keytab.
Actually we used the DNS alias created for the front-end apache
httpd used as load balancer in our KC setup. <br>
</p>
[1] <b><i>Principal names and DNS</i></b> -
<a class="moz-txt-link-freetext" href="https://web.mit.edu/kerberos/krb5-1.11/doc/admin/princ_dns.html">https://web.mit.edu/kerberos/krb5-1.11/doc/admin/princ_dns.html</a><br>
<pre class="moz-signature" cols="72">___
Rafael T. C. Soares
</pre>
<div class="moz-cite-prefix">On 07/26/2016 10:27 PM, Rafael T. C.
Soares wrote:<br>
</div>
<blockquote
cite="mid:bd4b56e4-9214-9745-710d-8f4af631ab94@redhat.com"
type="cite">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<p><font size="-1"><font face="DejaVu Sans">Hi!</font></font></p>
<font size="-1"><font face="DejaVu Sans">How should I generate my
Kerberos keytab file to use in a KC clustered domain (multiple
hosts)?<br>
I have to create a keytab for each KC Host? When I create the
keytab I have to inform the Service Principal (eg '</font></font><font
size="-1"><font face="DejaVu Sans">
<meta http-equiv="content-type" content="text/html;
charset=utf-8">
<font face="Courier New, Courier, monospace"><a
moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:HTTP/myhost.example.com@MYDOM.COM">HTTP/myhost.example.com@MYDOM.COM</a></font>').
But how the KC will know which Service Principal it should use
if I have different KC instances distributed in different
hosts? Is there a way to create a Service Principal on a
keytab that serves for the entire cluster regardless the KC
host instance?<br>
<br>
Thanks in advance?<br>
</font></font>
<pre class="moz-signature" cols="72">--
___
Rafael T. C. Soares </pre>
</blockquote>
<br>
</body>
</html>