Authenticating Pacemaker cluster nodes allows pcs to coordinate resource management and distribute cluster configuration across hosts without manual credential prompts on every action.
The pcs host auth command uses the hacluster account to authenticate with the pcsd daemon on each node, establishing a trust relationship used by later cluster operations. Once authorized, pcs can communicate with the approved nodes for cluster setup and ongoing administration tasks.
Node names must resolve consistently (short name vs FQDN), and network reachability to pcsd must be available between nodes (TCP 2224 by default). Incorrect passwords, hostname resolution issues, or blocked ports can produce partial authorization that prevents cluster creation or node additions from completing cleanly.
Related: How to create a Pacemaker cluster
Related: How to add a node to a Pacemaker cluster
$ getent hosts node-01.example.net node-02.example.net node-03.example.net 192.0.2.11 node-01.example.net node-01 192.0.2.12 node-02.example.net node-02 192.0.2.13 node-03.example.net node-03
Pass the same hostname form to all pcs commands to avoid authorizing duplicates (node-01 vs node-01.example.net).
$ sudo passwd hacluster New password: Retype new password: passwd: password updated successfully.
The password must match on every node for a single interactive pcs host auth run.
$ sudo systemctl is-active pcsd active
pcsd listens on TCP port 2224 by default, so host firewalls must allow node-to-node access.
$ sudo pcs host auth node-01 node-02 node-03 -u hacluster -p 'ClusterPass123!' node-01: Authorized node-02: Authorized node-03: Authorized
hacluster credentials are used to authorize multiple nodes, so initiate authentication only from a trusted administrative system.
$ sudo pcs host auth node-01 -u hacluster -p 'ClusterPass123!' node-01: Authorized