Kerberos and hostnames in a HA environment
Henry B. Hotz
hotz at jpl.nasa.gov
Sun Mar 6 17:26:36 EST 2011
Thanks for posting that patch. Is there any chance of getting it rolled into cyrus sasl upstream?
I would strongly advocate it, at least as an option. I really think it ought to be the default, since I believe every kerberized service ought to be set up with its own independent keytab file. Then the service's behavior can be controlled by the content of the keytab file. I don't even believe it's necessary to be able to turn it off, but I expect that people will be afraid to go that far.
On Mar 6, 2011, at 1:05 PM, Russ Allbery wrote:
> Gémes Géza <geza at kzsdabas.hu> writes:
>
>> My problem is, that We've started moving the services offered to our
>> network to a redhat-cluster based HA failover solution (each node is
>> identified by its hostname). E.g. instead of one machine named www now
>> we have two: www-0 and www-1 and www is associated (in the DNS) with an
>> IP address which is given to one of the two nodes providing the
>> associated service (+ the required storage from a SAN). The problem is
>> that to my (humble) knowledge kerberos also uses the hostname for
>> identifying the sevice tickets it needs to obtain, and that hostname is
>> different from what the client requesting access to the service is
>> trying to connect to. I was thinking about using SPN aliases, but our
>> database is LDAP based, and SPN aliases aren't supported there.
>
>> The software versions used are:
>> debian squeeze
>> redhat-cluster 3.0.12
>> heimdal 1.4 (both client, server and kdc)
>> libapache2-mod-auth-kerb 5.4
>> and more as more kerberized services will get migrated (the KDC,
>> OpenLDAP, OpenAFS and OpenSSH being the most important)
>
> Generally, the easiest way to deal with this is to generate keytabs for
> each hostname that a system can be addressed as (so, in your case, both
> www.example.com and www-0.example.com, for www-0) for each service. Then,
> configure all of your Kerberos applications to support authentication to
> any key in the keytab.
>
> For libapache2-mod-auth-kerb, this is a standard option (KrbServiceName
> any). For OpenSSH, you'll need a relatively new OpenSSH with Simon's
> GSSAPI patch for GSSAPIStrictAcceptorCheck no. OpenAFS won't care, since
> it uses a separate principal for the whole cell that doesn't depend on
> hostname.
>
> OpenLDAP is the hardest problem, since it uses Cyrus SASL and Cyrus SASL
> doesn't support checking every key in the keytab by default. There's a
> one-line patch you can apply to Cyrus SASL that fixes this:
>
> index d19a6c2..fcfa2ea 100644
> --- a/plugins/gssapi.c
> +++ b/plugins/gssapi.c
> @@ -693,7 +693,7 @@ gssapi_server_mech_step(void *conn_context,
>
> GSS_LOCK_MUTEX(params->utils);
> maj_stat = gss_acquire_cred(&min_stat,
> - text->server_name,
> + GSS_C_NO_NAME,
> GSS_C_INDEFINITE,
> GSS_C_NO_OID_SET,
> GSS_C_ACCEPT,
>
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the Cyrus-sasl
mailing list