[Authentication] Additional hostnames in SPNs using 'adcli update' or 'adcli join'
Patrice Peterson
patrice.peterson at itz.uni-halle.de
Thu Apr 14 12:49:12 UTC 2016
Hi,
we have a compute cluster that is part of our Active Directory domain.
We would like to be able to SSH between all cluster nodes using SSH's
GSSAPI auth mechanism. However, the login node poses a bit of trouble:
The compute nodes reach it as
"login001.cluster-internal.ad.example.com", while the users reach the
login node from a different network interface, using
"cluster1.ad.example.com". The hostname of the login node is also
'cluster1.ad.example.com'.
I am fairly sure I can achieve that by adding both SPNs,
'host/login001.cluster-internal.ad.example.com' and
'host/cluster1.ad.example.com' to the keytab. However, I wasn't able to
create such a keytab when using the '--service-name' switch for adcli,
as that only allows me to add another service and not another hostname.
Is there a way to do this with just adcli, or do I have to generate the
Keytab on a Windows machine with the help of our domain administrator?
Thanks for any help!
- Patrice
--
Patrice Peterson
Referent für HPC-Anwendungen
Martin-Luther-Universität Halle-Wittenberg
IT-Servicezentrum, Raum E.09.0
Kurt-Mothes-Straße 1
06120 Halle (Saale)
Telefon: 0345-55 21864
More information about the Authentication
mailing list