Kerberos authentication

Elena Dvoryadkina

ADQM provides the ability to authenticate existing users via the Kerberos protocol that provides a mechanism for mutual authentication of a client and server before establishing a connection between them.

Basic concepts used in Kerberos:

  • Principal — unique name of a client (user) that is allowed to authenticate with Kerberos.

  • Ticket — temporary data issued to the client for authentication on the server where the required service is located.

  • Key Distribution Center (KDC) — service that issues Kerberos tickets and temporary session keys.

  • Realm — Kerberos network that includes KDC servers and one or multiple clients. The realm name is case-sensitive (it is usually written in uppercase) and is the same as the domain name.

KDC types

The following KDC types are available for an ADQM cluster kerberization:

  • MIT Kerberos that consists of the principal database and the storage of Kerberos keys.

  • MS Active Directory that consists of the principal database and the storage of Windows Server keys.

  • FreeIPA that is a free open source identity management system for Linux/UNIX environments.

When using any of these KDC types, the process of identifying and authenticating users is almost the same. The only difference is the KDC type that is being used.

Common requirements

To kerberize an ADQM cluster, you have to assure the following:

  • ADQM cluster is installed, configured, and ready for work.

  • MIT Kerberos, Active Directory, or FreeIPA user and key storage is set up and ready for work.

  • There is a MIT Kerberos, Active Directory, or FreeIPA administrator account that has full access to create, delete, and manage user accounts.

Users configured for Kerberos authentication can access ADQM only via the HTTP interface, and an HTTP client should support the SPNEGO mechanism. For example, you can use the curl utility. The following command allows you to verify whether your curl version supports Kerberos and SPNEGO:

$ curl --version

The output should be similar to:

curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/1.0.2k-fips zlib/1.2.7
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS GSS-API HSTS HTTPS-proxy IPv6 Kerberos Largefile libz NTLM NTLM_WB SPNEGO SSL UnixSockets
Found a mistake? Seleсt text and press Ctrl+Enter to report it