Hi!

Just to share with you I applied the approach described in this MIT Kerberos admin guide [1]. We used an alias (an "A" DNS record with PTR (reverse DNS)) as the Service Principal for our keytab. Actually we used the DNS alias created for the front-end apache httpd used as load balancer in our KC setup.

[1] Principal names and DNS - https://web.mit.edu/kerberos/krb5-1.11/doc/admin/princ_dns.html

___
Rafael T. C. Soares

On 07/26/2016 10:27 PM, Rafael T. C. Soares wrote:

Hi!
How should I generate my Kerberos keytab file to use in a KC clustered domain (multiple hosts)?
I have to create a keytab for each KC Host? When I create the keytab I have to inform the Service Principal (eg ' HTTP/myhost.example.com@MYDOM.COM'). But how the KC will know which Service Principal it should use if I have different KC instances distributed in different hosts? Is there a way to create a Service Principal on a keytab that serves for the entire cluster regardless the KC host instance?

Thanks in advance?
-- 
___
Rafael T. C. Soares 