Print Email PDF

Join Your Cluster to a Kerberos Realm

Michael Khmelnitsky
Updated
  1. Qumulo Care
  2. Qumulo Administration

IN THIS ARTICLE 

Outlines how to add, remove, and configure your cluster to use a Kerberos realm

REQUIREMENTS

  • Cluster running Qumulo Core 2.9.6 or later
  • Admin privileges on the Qumulo cluster
  • Command line (CLI) tools installed via API & Tools in the Web UI
  • Cluster is connected to an LDAP server for identity mapping

Note: Setting a KDC keytab prohibits the cluster from joining AD and vice versa. Be sure to verify your current settings before proceeding.

DETAILS 

You can now join your cluster to a Kerberos realm using the new APIs available in version 2.9.6 of Qumulo Core. Authentication via Kerberos tickets is now supported assuming you have a running Kerberos KDC. Once a Kerberos keytab is set on the cluster, your clients can authenticate using Kerberos tickets from the KDC holding the cluster’s private key.

Prior to starting, confirm that the keytab contains the expected principals for your cluster:

  • The service principal of the cluster should be in the form cifs/<DNS name>@<realm> for client compatibility.
  • The keytab is generated independently of the cluster on the KDC administration server before configuring on your Qumulo cluster.

To perform this verification, run the following command:

klist -k /qumulo.example.com.keytab -e
Keytab name: FILE:/qumulo.example.com.keytab
KVNO Principal
---- -------------------------------------------------------------
1 cifs/qumulo.example.com@EXAMPLE.COM (des3-cbc-sha1)
1 cifs/qumulo.example.com@EXAMPLE.COM (arcfour-hmac)
1 cifs/qumulo.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)
1 cifs/qumulo.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96)

Add Cluster to the Kerberos Realm

While logged in as admin, install the keytab on the cluster using the following command:

qq kerberos_set_keytab --keytab-file /qumulo.example.com.keytab

Once installed, SMB2 connections containing Kerberos tickets for the principals defined in the keytab will now be authenticated on the cluster. Note that only SMB2 connections can be authenticated with Kerberos - NFS, FTP, and REST do not accept Kerberos tickets.

Remove Cluster from the Kerberos Realm

To delete the keytab and remove your cluster from the kerberos realm, run the following command: 

qq kerberos_delete_keytab

Configure Kerberos-LDAP Identity Mapping

Qumulo provides two main mapping methods between Kerberos and LDAP identities: mapping via the user name component or mapping via the altSecurityIdentities LDAP attribute. Reference the table below for details.

  Kerberos LDAP
Default name@example.com     uid=name
Alternate   
name@example.com altSecurityIdentities=Kerberos:name@example.com

If you would like to enable this alternate option, use the following command:

qq kerberos_modify_settings --use-alt-security-identities-mapping true

TIP! To see the full list of available commands for Kerberos, check out the QQ CLI: Kerberos article.

RESOLUTION

You should now be able to successfully add, remove, and configure your cluster to use a Kerberos realm

ADDITIONAL RESOURCES

QQ CLI: Kerberos

 

Like what you see? Share this article with your network!

Articles in this section

See more
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.

Have more questions?
Open a Case
Share it, if you like it.