Print Email PDF

Join Your Cluster to a Kerberos Realm


Outlines how to add, remove, and configure your cluster to use a Kerberos realm


  • Cluster running Qumulo Core 2.9.6 or later
  • Admin privileges on the Qumulo cluster
  • Command line (CLI) tools installed via API & Tools in the Web UI
  • Cluster is connected to an LDAP server for identity mapping

Note: Setting a KDC keytab prohibits the cluster from joining AD and vice versa. Be sure to verify your current settings before proceeding.


You can now join your cluster to a Kerberos realm using the new APIs available in version 2.9.6 of Qumulo Core. Authentication via Kerberos tickets is now supported assuming you have a running Kerberos KDC. Once a Kerberos keytab is set on the cluster, your clients can authenticate using Kerberos tickets from the KDC holding the cluster’s private key.

Prior to starting, confirm that the keytab contains the expected principals for your cluster:

  • The service principal of the cluster should be in the form cifs/<DNS name>@<realm> for client compatibility.
  • The keytab is generated independently of the cluster on the KDC administration server before configuring on your Qumulo cluster.

To perform this verification, run the following command:

klist -k / -e
Keytab name: FILE:/
KVNO Principal
---- -------------------------------------------------------------
1 cifs/ (des3-cbc-sha1)
1 cifs/ (arcfour-hmac)
1 cifs/ (aes128-cts-hmac-sha1-96)

1 cifs/ (aes256-cts-hmac-sha1-96)

Add Cluster to the Kerberos Realm

While logged in as admin, install the keytab on the cluster using the following command:

qq kerberos_set_keytab --keytab-file /

Once installed, SMB2 connections containing Kerberos tickets for the principals defined in the keytab will now be authenticated on the cluster. Note that only SMB2 connections can be authenticated with Kerberos - NFS, FTP, and REST do not accept Kerberos tickets.

Remove Cluster from the Kerberos Realm

To delete the keytab and remove your cluster from the kerberos realm, run the following command: 

qq kerberos_delete_keytab

Configure Kerberos-LDAP Identity Mapping

Qumulo provides two main mapping methods between Kerberos and LDAP identities: mapping via the user name component or mapping via the altSecurityIdentities LDAP attribute. Reference the table below for details.

  Kerberos LDAP
Default     uid=name

If you would like to enable this alternate option, use the following command:

qq kerberos_modify_settings --use-alt-security-identities-mapping true

TIP! To see the full list of available commands for Kerberos, check out the QQ CLI: Kerberos article.


You should now be able to successfully add, remove, and configure your cluster to use a Kerberos realm


QQ CLI: Kerberos


Like what you see? Share this article with your network!

Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.

Have more questions?
Open a Case
Share it, if you like it.