Use MIT Kerberos server

Setup Kerberos server

NOTE
  • Kerberos KDC can be installed on any host that has access to a host with ADCM installed (FQDN connectivity).

  • KDC can also be installed on the same host as ADCM.

An example below describes how to install Kerberos KDC to the dev-adcm-test.ru-central1.internal host with the CentOS operating system and ADCM.

  1. Install Kerberos packages to the host:

    $ sudo -i
    yum install krb5-libs krb5-server krb5-workstation
  2. Make changes to the configuration files.

    • In the /var/kerberos/krb5kdc/kdc.conf file, set realm to RU-CENTRAL1.INTERNAL:

      [kdcdefaults]
       kdc_ports = 88
       kdc_tcp_ports = 88
      
      [realms]
       RU-CENTRAL1.INTERNAL = {
        #master_key_type = aes256-cts
        acl_file = /var/kerberos/krb5kdc/kadm5.acl
        dict_file = /usr/share/dict/words
        admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
        supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
       }
    • In the /etc/krb5.conf file, set RU-CENTRAL1.INTERNAL as the default_realm parameter value, and also fill in the [realms] and [domain_realm] sections:

      # Configuration snippets may be placed in this directory as well
      includedir /etc/krb5.conf.d/
      
      [logging]
       default = FILE:/var/log/krb5libs.log
       kdc = FILE:/var/log/krb5kdc.log
       admin_server = FILE:/var/log/kadmind.log
      
      [libdefaults]
       dns_lookup_realm = false
       ticket_lifetime = 24h
       renew_lifetime = 7d
       forwardable = true
       rdns = false
       pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
       default_realm = RU-CENTRAL1.INTERNAL
       default_ccache_name = KEYRING:persistent:%{uid}
      
      [realms]
       RU-CENTRAL1.INTERNAL = {
        kdc = dev-adcm-test.ru-central1.internal
        admin_server = dev-adcm-test.ru-central1.internal
       }
      
      [domain_realm]
       .ru-central1.internal = RU-CENTRAL1.INTERNAL
       ru-central1.internal = RU-CENTRAL1.INTERNAL
    • Modify the /var/kerberos/krb5kdc/kadm5.acl file as shown below so that any /admin principal in the RU-CENTRAL1.INTERNAL realm has all administrative privileges except key extraction:

      */admin@RU-CENTRAL1.INTERNAL    *

    For detailed descriptions of tags in these files, see the kdc.conf, krb5.conf, and kadm5.acl articles of the MIT Kerberos documentation.

  3. Create the Kerberos database using the kdb5_util utility:

    kdb5_util create -s -P P@ssw0rd
  4. Run the following commands in turn to start the Kerberos and KDC services:

    systemctl start kadmin
    systemctl start krb5kdc

    You can check the status of running services with the commands:

    systemctl status kadmin
    systemctl status krb5kdc
  5. Create user principals. To do this, use the Kerberos administrator console — kadmin.local.

    A user principal name in a Kerberos database usually follows the primary/instance@REALM pattern, where:

    • primary is a username (for successful authentication to ADQM, it is required that this part of a principal matches the name of an ADQM user configured to authenticate via Kerberos);

    • instance is an optional component that qualifies primary. If primary is a username, then instance is usually not specified or can be used to define an additional principal for the user (for example, john@RU-CENTRAL1.INTERNAL and john/admin@RU-CENTRAL1.INTERNAL are separate principals with different passwords and permissions).

    kadmin.local -q "add_principal -pw P@ssw0rd admin/admin"
    kadmin.local -q "add_principal -pw P@ssw0rd adqm_kerb"

    For a complete description of the kadmin.local command line interface and its options, see the kadmin article of the MIT Kerberos documentation.

Start MIT Kerberos KDC on ADQM cluster

  1. On the Clusters page of the ADCM interface, select the installed and prepared ADQM cluster.

  2. Enable Kerberos for the cluster — click the Actions actions default dark actions default light icon and select the Manage Kerberos action.

    Manage Kerberos action
    Manage Kerberos action
  3. Turn on the Existing MIT KDC option and fill in the configuration parameters in accordance with the previously specified Kerberos server settings.

    MIT KDC parameters
    MIT KDC parameters
  4. Click Run and wait for the cluster kerberization to complete. On the Jobs page, you can monitor the progress and result of the Manage Kerberos task execution.

    Kerberization process
    Kerberization process

After Kerberos is successfully installed on the ADQM cluster, the corresponding settings appear on the cluster configuration page (in the Kerberos section) and on the ADQMDB service configuration page (in the Kerberos configuration section).

Kerberos settings in the ADQM cluster configuration
Kerberos settings in the ADQM cluster configuration
Kerberos settings in the ADQMDB service configuration
Kerberos settings in the ADQMDB service configuration

Test user authentication via Kerberos

After a successful kerberization, ADQM commands can only run on cluster nodes after getting a Kerberos ticket. Below is an example that demonstrates how to access the kerberized cluster:

  1. Create an ADQM user that has a principal in the Kerberos database. To do this, use the IDENTIFIED WITH kerberos clause in the CREATE USER query:

    CREATE USER adqm_kerb IDENTIFIED WITH kerberos;
  2. Create a Kerberos ticket for the user principal:

    $ kinit -V adqm_kerb@RU-CENTRAL1.INTERNAL

    Enter a password:

    Password for adqm_kerb@RU-CENTRAL1.INTERNAL:

    The kinit article of the MIT Kerberos documentation describes all available options of the kinit command.

  3. Check the ticket:

    $ klist
    Ticket cache: FILE:/tmp/krb5cc_1000
    Default principal: adqm_kerb@RU-CENTRAL1.INTERNAL
    
    Valid starting       Expires              Service principal
    05/04/2023 07:13:58  05/05/2023 07:13:58  krbtgt/RU-CENTRAL1.INTERNAL@RU-CENTRAL1.INTERNAL
  4. To test authentication via Kerberos, send some command to ADQM using the curl utility version that supports the SPNEGO mechanism:

    $ echo "select currentUser()" | curl --negotiate -u : http://<host_name>:8123/ --data-binary @-

    In case of successful authentication, the command should return the kerberized user name:

adqm_kerb
Found a mistake? Seleсt text and press Ctrl+Enter to report it