IN THIS ARTICLE
Outlines how to add, remove, and configure your cluster to use a Kerberos realm
REQUIREMENTS
- Cluster running Qumulo Core 2.9.6 or later
- Admin privileges on the Qumulo cluster
- Command line (CLI) tools installed via API & Tools in the Web UI
- Cluster is connected to an LDAP server for identity mapping
Note: Setting a KDC keytab prohibits the cluster from joining AD and vice versa. Be sure to verify your current settings before proceeding.
DETAILS
You can now join your cluster to a Kerberos realm using the new APIs available in version 2.9.6 of Qumulo Core. Authentication via Kerberos tickets is now supported assuming you have a running Kerberos KDC. Once a Kerberos keytab is set on the cluster, your clients can authenticate using Kerberos tickets from the KDC holding the cluster’s private key.
Prior to starting, confirm that the keytab contains the expected principals for your cluster:
- The service principal of the cluster should be in the form cifs/<DNS name>@<realm> for client compatibility.
- The keytab is generated independently of the cluster on the KDC administration server before configuring on your Qumulo cluster.
To perform this verification, run the following command:
klist -k /qumulo.example.com.keytab -e
Keytab name: FILE:/qumulo.example.com.keytab
KVNO Principal
---- -------------------------------------------------------------
1 cifs/qumulo.example.com@EXAMPLE.COM (des3-cbc-sha1)
1 cifs/qumulo.example.com@EXAMPLE.COM (arcfour-hmac)
1 cifs/qumulo.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
1 cifs/qumulo.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)
Add Cluster to the Kerberos Realm
While logged in as admin, install the keytab on the cluster using the following command:
qq kerberos_set_keytab --keytab-file /qumulo.example.com.keytab
Once installed, SMB2 connections containing Kerberos tickets for the principals defined in the keytab will now be authenticated on the cluster. Note that only SMB2 connections can be authenticated with Kerberos - NFS, FTP, and REST do not accept Kerberos tickets.
Remove Cluster from the Kerberos Realm
To delete the keytab and remove your cluster from the kerberos realm, run the following command:
qq kerberos_delete_keytab
Configure Kerberos-LDAP Identity Mapping
Qumulo provides two main mapping methods between Kerberos and LDAP identities: mapping via the user name component or mapping via the altSecurityIdentities LDAP attribute. Reference the table below for details.
Kerberos | LDAP | |
Default | name@example.com | uid=name |
Alternate |
name@example.com | altSecurityIdentities=Kerberos:name@example.com |
If you would like to enable this alternate option, use the following command:
qq kerberos_modify_settings --use-alt-security-identities-mapping true
TIP! To see the full list of available commands for Kerberos, check out the QQ CLI: Kerberos article.
RESOLUTION
You should now be able to successfully add, remove, and configure your cluster to use a Kerberos realm
ADDITIONAL RESOURCES
Like what you see? Share this article with your network!
Comments
0 comments