Kerberos authentication from the command prompt

With Kerberos authentication, you can log on to your Windows cluster from the command prompt or submit workload as the current OS user, without having to enter your user credentials. You can also log on as a specific Active Directory (AD) user by using the AD user name and password.

Procedure

Note: The AD user in IBM® Spectrum Symphony is not case sensitive as in Windows. While the Admin user is a special user for IBM Spectrum Symphony, you cannot use it to represent another user with a different case, for example, admin.

  1. Log on to a host as the AD user who is mapped to the Admin user, as defined in the KERBEROS_ADMIN parameter, and run commands directly from the command prompt. The host must be in the same domain as this AD user.
    With the mapping to the Admin user, the AD user inherits the cluster administrator role of the Admin user. For example, log on to a host in the ad1 domain as the egoadmin user (ad1\egoadmin) and run commands to view resource groups, system services, and applications:
    egosh rg
    egosh service list
    soamview app
    To run commands that accept a username and password as another user who is not the current OS user, for example, enter:
    soamview app -u ad1\mguser -x passwordmguser
  2. Check whether all expected users and user groups are loaded successfully to the system:
    egosh user list
  3. Assign permissions for AD users to run commands or applications.
    For example, to set AD user mguser in domain ad1 as a read-only cluster administrator and AD user appuser in domain ad2 as a consumer administrator, enter:
    egosh user assignrole -u ad1\mguser -r "Cluster Admin (Read only)"
    egosh user assignrole -u ad2\appuser -r "Consumer Admin"
    Note: User names or user group names that are identical but under different domains are treated the same for user authorization purposes. After you assign a role to a user, for example, the consumer administrator role to ad2\appuser, if appuser exists in domain ad2, ad2\appuser shares the same role as ad1\appuser. In this example, ad2\appuser and ad1\appuser both are consumer administrators.
  4. Log on to a compute host as an AD user and run commands directly from the command prompt.
    For example, log on to a compute host in the ad1 domain as user mguser (ad1\mguser) and run commands to view system services and applications:
    egosh service list
    soamview app
  5. Log on to a client host as an AD user and submit workload. On client hosts, you can submit application workload with or without single sign-on:
    • With single sign-on, an AD user can run workload as the current Windows user without entering the user principal and password; the current logged-on Windows user is the logon user. To use single sign-on with applications other than the built-in ones, set the user name and password to when initializing the security callback with the callback functions. For example, the callback function for C++ applications is DefaultSecurityCallback.
    • Without single sign-on, an AD user can run workload as a specified user, by entering a user principal and password that differs from the current Windows user.
    For example, log on to a client host in the domain ad2 as appuser (ad2\appuser) and submit workload for the symping application:
    symping -u "" -x ""
    To run symping as another user who is not the current OS user, for example, enter:
    symping -u ad1\egoadmin -x passwordegoadmin