After you have configured Kerberos on the Active Directory domain controller host, the
next step in the flow of enabling single sign-on with Kerberos is to configure Kerberos on the
LSF and LSF Application Center hosts.
Procedure
- On the LSF Application Center host, edit the Linux network settings (using the nmtui Linux network
management tool command) for your LSF and LSF Application Center hosts. Set the IP of the Windows Active Directory domain controller as the DNS server address,
and the Active Directory domain name as the search domain.
Tip: Refer to your /etc/resolv.conf file for these network
values.
- Map the hostname and IP address in the /etc/hosts file.
For example:
# The host address of Windows Active Directory domain controller host
9.110.251.125 vmwin12 vmwin12.free.zone
# The host address of LSF or add-on host
9.110.251.30 myhost myhost.free.zone
- Install Kerberos by running the following command:
yum install krb5-libs krb5-workstation krb5-devel
- Copy the generated Kerberos keytab files from the Active Directory domain controller
host, which you previously generated in Configuring Kerberos single sign-on on the Windows Active Directory domain controller host.
- Merge keytab files and to generate a single krb5.keytab file.
For example, if the generated keytab files are lsfsrv.keytab,
lsfhost.keytab,
and ac_root.keytab, run:
- Copy the krb5.keytab file to the /etc and
/etc/krb5.conf directories.
The following example shows this for a domain name of
free.zone and an Active
Directory domain controller hostname of
vmwin12.free.zone:
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = FREE.ZONE
default_keytab_name = FILE:/etc/krb5.keytab
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
forwardable = true
renewable = true
noaddresses = true
clockskew = 300
udp_preference_limit = 1
[realms]
FREE.ZONE = {
kdc = vmwin12.free.zone
admin_server = vmwin12.free.zone
}
[domain_realm]
.free.zone = FREE.ZONE
free.zone = FREE.ZONE
- Ensure that
usernames do not contain
@domain.com by editing the
/etc/sssd/sssd.conf file and setting
use_fully_qualified_names=False.
- Verify the Kerberos keytab file exists:
klist -k -t /etc/krb5.keytab
- Configure Kerberos on the LSF host, by setting the following parameters and values in the
$LSF_ENVDIR/lsf.conf file:
- LSF_ADDON_HOSTS="hostname", where
hostname is the LSF Application Center server hostname.
- LSB_KRB_LIB_PATH="/usr/lib64/"
- Configure Kerberos on the LSF Application Center host:
- Set the following parameters in the $GUI_CONFDIR/pmc.conf file to
support Kerberos:
- ENABLE_KERBEROS=true
- KrbServicePrincipal=HTTP/hostnamex@FREE.ZONE, where
hostname is the LSF Application Center server hostname.
- KrbKeyTabLocation="/etc/krb5.keytab"
- Back up the
$PMC_TOP/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/classes/spring-security.xml
file, and rename the spring-security.xml.krb file in this directory to be
called spring-security.xml, to overwrite the original
spring-security.xml file with this new one.
- Set the following environment variable:
LSF_ADDON_SERVICENAME="AC_root"
- (Step
required starting in Fix Pack 14; optional for earlier versions) Enable weak encryption types for
Kerberos, to avoid authentication failures that do not support strong cryptography: add the
allow_weak_crypto = true setting to the libdefaults section of the
/etc/krbs.conf file; for example:
[libdefaults]
allow_weak_crypto = true
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
# default_realm = EXAMPLE.COM
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
What to do next
Once you have configured Kerberos on the LSF and LSF Application Center hosts, configure your Windows client host for Kerberos (which includes setting browsers for
Kerberos access on the client).