Managing HP Serviceguard for Linux, Sixth Edition, August 2006
Building an HA Cluster Configuration
Preparing Your Systems
Chapter 5126
Username Validation
Serviceguard relies on the ident service of the client node to verify the
username of the incoming network connection. If the Serviceguard
daemon is unable to connect to the client's ident daemon, permission will
be denied.
Root on a node is defined as any user who has the UID of 0. For a user to
be identified as root on a remote system, the “root” user entry in
/etc/passwd for the local system must come before any other user who
may also be UID 0. The ident daemon will return the username for the
first UID match. For Serviceguard to consider a remote user as a root
user on that remote node, the ident service must return the username as
“root”.
It is possible to configure Serviceguard to not use the ident service,
however this configuration is not recommended. Consult the ratepayer
“Securing Serviceguard” for more information.
To disable the Serviceguard features, do the following steps on each node
after installing Serviceguard A.11.16.01 but before having each node
re-join the cluster (e.g. before issuing a cmrunnode or cmruncl).
For Red Hat and SUSE:
1. Change the server_args parameter in the file
/etc/xinetd.d/hacl-cfg
from:
server_args = -c
to
server_args = -c -i
2. Change the server_args parameter in the
/etc/xinetd.d/hacl-probe file to include the -i
For SUSE this would be changed from:
server_args = -f /opt/cmom/log/cmomd.log -r /opt/cmom/run
to
server_args = -i -f /opt/cmom/log/cmomd.log -r
/opt/cmom/run
For Red Hat this would be changed from:
server_args = -f /user/local/cmom/log/cmomd.log -r
/user/local/cmom/run