 | ||
| About using the VCS DNS agent on UNIX with a secure Windows DNS server | ||
|---|---|---|
| Prev | Agent notes for DNS agent | Next |
| ||
| About using the VCS DNS agent on UNIX with a secure Windows DNS server | ||
|---|---|---|
| Prev | Agent notes for DNS agent | Next |
This section describes the requirements for using the DNS agent with a secure Windows DNS server. Note that there are no special requirements for sending non-secure updates to a Windows DNS server.
For the secure updates on Windows DNS server to work, the VCS DNS agent on UNIX requires BIND version 9.7.2-P3 or later installed on all cluster nodes.
The VCS DNS agent on UNIX requires setting up Kerberos authentication with the Windows DNS server and configuring the domain and DNS server information in /etc/resolv.conf at the client node.
To set up the Kerberos authentication from the UNIX host to the Windows DNS server, configure the Kerberos configuration file (/etc/krb5.conf or /etc/ krb/krb5.conf) to use the Windows DNS server as Key Distribution Centre (KDC).
A sample Kerberos configuration file with domain privdns.sym and DNS server master.privdns.sym is as follows:
[libdefaults]
default_realm = PRIVDNS.SYM
dns_lookup_realm = true
dns_lookup_kdc = true
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
allow_weak_crypto = true
[realms]
PRIVDNS.SYM = {
kdc = master.privdns.sym:88
kpasswd_server = master.privdns.sym:464
admin_server = master.privdns.sym
}
[domain_realm]
.privdns.sym = PRIVDNS.SYM
privdns.sym = PRIVDNS.SYM
Authenticate all the nodes on the cluster (on which the DNS agent is configured to run) with the Active directory. Use kinit on your user account and use klist to verify that you have a ticket to the configured realm principal. Refer to the man page of kinit for more information on obtaining Kerberos ticket granting tickets from KDC.
Note: |
The DNS agent requires a node to be authenticated with Kerberos all the time. Renew the obtained tickets periodically if your authentication method requires you to do so. |
A sample run of kinit and klist for the above configuration with user vcsdns will look as follows:
# kinit vcsdns Password for vcsdns@PRIVDNS.SYM: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: vcsdns@PRIVDNS.SYM Valid starting Expires Service principal 12/14/09 16:17:37 12/15/09 02:19:09 krbtgt/PRIVDNS.SYM@PRIVDNS.SYM renew until 12/21/09 16:17:37
If the environment variable KRB5CCNAME is set to some non-default location (default is /tmp), then VCS will not inherit it by default and will look for the Kerberos tickets in default location /tmp.
To resolve this issue, un-set the environment variable KRB5CCNAME and run the kinit command again. This will update the Kerberos tickets in default location (/tmp). Else, for a customized location (for example, /cache/krb_ticket) for Kerberos tickets, add an entry in /opt/VRTSvcs/bin/vcsenv file on each cluster node before VCS starts:
KRB5CCNAME="FILE:/cache/krb_ticket"
export KRB5CCNAME
Update /etc/resolv.conf on your client node to add information for the Windows DNS server and the configured domain.