cancel
Showing results for 
Search instead for 
Did you mean: 
zlob
Level 7
Report Inappropriate Content
Message 1 of 9

Cluster HA and Kerberos

Take 2 node cluster with NTLM authentication. 7.3.2 MWG

Try add kerderos - don't understend "how to".

- don't have all information.

How have idea?

1. Create keytab for node 1 with user 1 and add SPN for common name not VIP FQDN

2. same for node 2, user 2, SPN

On node 2 have error :

[2014-08-06 15:19:22.492 +03:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_API' error : 'Unspecified GSS failure.  Minor code may provide more information'

[2014-08-06 15:19:22.492 +03:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_MECH' error : 'Request is a replay'

[2014-08-06 15:19:22.492 +03:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_API' error : 'Unspecified GSS failure.  Minor code may provide more information'

[2014-08-06 15:19:22.492 +03:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_MECH' error : 'Request is a replay'

[2014-08-06 15:19:24.716 +03:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_API' error : 'Unspecified GSS failure.  Minor code may provide more information'

8 Replies
McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 2 of 9

Re: Cluster HA and Kerberos

Hello!

For MWG's in a HA pair, there is nothing special about the Kerberos configuration. You should only need one user account in AD, and one Keytab.

It sounds like you created two users, and subsequently two keytabs. I would suggest deleting both and starting over (to eliminate any duplicates).

You should create the one user, generate the single keytab, add any SPNs via the "setspn" command, and import the keytab into MWG.

You should have no issues after doing this.

The error you are showing "request is a replay" seems very strange... however, I would still performed what I outlined for simplicity's sake.

Best,

Jon

zlob
Level 7
Report Inappropriate Content
Message 3 of 9

Re: Cluster HA and Kerberos


You should create the one user, generate the single keytab, add any SPNs via the "setspn" command, and import the keytab into MWG.


Import on both nodes?!

McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 4 of 9

Re: Cluster HA and Kerberos

Yes-sir-ee-zlob!

Highlighted
McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 5 of 9

Re: Cluster HA and Kerberos

Hi zlob,

Were you able to work through this? I saw that there was a support case on it.

Best,

Jon

zlob
Level 7
Report Inappropriate Content
Message 6 of 9

Re: Cluster HA and Kerberos

Hello.

No answer from support case.

McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 7 of 9

Re: Cluster HA and Kerberos

Looks like you just uploaded some data today.

I'll be sure to look at it with my colleague.

Best,

Jon

zlob
Level 7
Report Inappropriate Content
Message 8 of 9

Re: Cluster HA and Kerberos

Yesterday find 4 accounts with SPN on 1 name )))

In   need add "How-TO" for kerberos and cluster.

McAfee Employee jscholte
McAfee Employee
Report Inappropriate Content
Message 9 of 9

Re: Cluster HA and Kerberos

Hi Oleg,

I'm aware, I worked with the end-customer to find the duplicates using ldifde and correct the issue. ;-)

I don't believe a special section is needed for cluster configuration because as I stated in the initial post there is nothing unique about it. The VIP is just an another name for the MWG, so its just a matter of adding any additional SPNs to the user account.

I adjusted the "Conclusion" section to state the following (adding the keyword "cluster" next to "pool"):

By the end of this document, you should understand how to setup Kerberos on MWG. If you have MWGs in a pool/cluster, you should still only need one keytab file and one user account in AD. All the aliases for the pool/cluster or individual MWGs can be added to the AD user account, no modification needs to be done to the keytab (unless you really want to). All necessary troubleshooting steps are listed in this document. Depending on the situation, klist output, ldifde output, and a client side capture will be the most useful.


Best,

Jon

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.