At 08:15 PM 7/10/2006, Gerald (Jerry) Carter wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Don Meyer wrote:
> My question though is what are the ramifications of
> a similar situation: Where the CNAME might be
> dynamically moved to point to another system's base
> IP address in the case of a transfer of service/fail-over.
> Does this servicePrincipalName for the FQDN need to
> be deleted and added to the new host's object, or
> can the same servicePrincipalName be added to each
> machine's object? -- each machine that might be
> used to host that service address, that is...
Maybe I misunderstood the original questions. Are we
trying top get krb5 authentcation working with cname
records? Is the client actuall requesting a service
ticket cifs/${name} and the request is failing?
Or is something else wrong? I admit I only briefly
read the original post.
The original poster (Roy Mann) indicated that he was having krb5
authentication failures when his clients were using a CNAME (FQDN) to
connect instead of the server's base (A record) FQDN. It works when
using the base FQDN. The reason he is trying to employ CNAMEs in his
resource mappings is to facilitate the fail-over process without
having to change significant numbers of mappings, etc. in the case of
a system failure and fail-over.
My first question was asking about the logical extension of this --
What has to happen at fail-over (CNAME transfer)? If you have
multiple machines which might someday be pointed to by the CNAME, can
you pre-add the servicePrincipalName using the CNAME to each server's
object in the manner you suggest? This way, only the DNS needs to
be adjusted to move the CNAME, and as the change propagates the
clients should start using the new server.
However, if the serverPrincipalName must be unique, and can only be
associated with one server object in the AD at any given time, then
this would imply that in order to move the CNAME, one would first
need to use the utility you suggest to edit the AD and transfer the
serverPrincipalName to another server object.
So which case is it? (I'm hoping for the former, but knowing MS,
I'd bet money on the latter...)
(After that first question, I then jumped deeper into the issue --
but let's back out and get this level dealt with first... ;-)
Cheers,
-D
Don Meyer <[EMAIL PROTECTED]>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services
"They that can give up essential liberty to obtain a little
temporary safety,
deserve neither liberty or safety." -- Benjamin Franklin, 1759
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
