When Microsoft Active
Directory (AD) serves as the KDC in your cluster, configure Kerberos user authentication through the
GSS-Kerberos security plug-in on Linux® hosts in your
cluster.
Ensure that you meet the prerequisites for Kerberos authentication outlined in Prerequisites (Microsoft AD).
If you want AD users to be automatically loaded to IBM Spectrum Symphony (by setting the
ENABLE_AD_USERS_MANAGE parameter to Y), the
use_fully_qualified_names parameter in the
/etc/sssd/sssd.conf file must be set to False. Ensure
also that the AD domain users are not already added to IBM Spectrum Symphony.
About this task
To enable Kerberos authentication with AD in the IBM Spectrum Symphony cluster, you must configure
all your Linux hosts (management, compute, and client) to use
the sec_ego_gsskrb plug-in.
This task uses the following examples to illustrate a basic Kerberos scenario; ensure that you
modify this task as it applies to your production cluster:
- Your environment includes two AD domains: AD1.COM and
AD2.COM. An external two-way trust is established between them and both domains
are configured in the Kerberos configuration file (/etc/krb5.conf). The realms
corresponding to the two domains are AD1.COM and AD2.COM.
- Management and compute hosts are joined to AD1.COM.
- Linux client host linuxclient1 is
joined to AD1.COM; Linux client host
linuxclient2 is joined to AD2.COM. These hosts can be
Developer Edition hosts that serve as client hosts.
- The service principal for the authentication server, called abc123service,
is created in AD1.COM and it is added to the
/tmp/service.keytab on the primary host.
- The AD1.COM and AD2.COM domains include the following
user accounts:
- The egoadmin user account in AD1.COM, which maps to
the built-in Admin cluster administrator account in IBM Spectrum Symphony.
- The ad1tester user account in AD1.COM.
- The ad2tester user account in AD2.COM.
-
Log on to any management host in the cluster as cluster administrator and shut down the
cluster:
egosh user logon –u Admin –x Admin
soamcontrol app disable all
egosh service stop all
egosh ego shutdown all
-
Modify the security configuration on all management hosts in your cluster.
-
On each management host, modify the following parameters in the
$EGO_CONFDIR/ego.conf file:
- EGO_SEC_PLUGIN: Set to Kerberos authentication through the GSS-Kerberos
plug-in.
EGO_SEC_PLUGIN=sec_ego_gsskrb
- EGO_SEC_CONF: Specify the plug-in's configuration in the format
path_to_plugin_conf_dir,created-ttl,plugin_log_level,path_to_plugin_log_dir
, where:
- path_to_plugin_conf_dir (required): Specifies the absolute path to the
sec_ego_gsskrb.conf file (which is defined in the next step).
- created_ttl (optional): Specifies a time-to-live duration for the
authentication token sent from the client to the server. Valid value is higher than 0 but lower than
1440 minutes (24 hours). The default is 600 minutes (10 hours).
- plugin_log_level (optional): Specifies the log level for the plug-in. Valid
values are DEBUG, INFO, WARN, and
ERROR. As a best practice, set the log level as ERROR or
WARN. A lower level causes too many messages to be logged, making it harder to
troubleshoot if required.
- path_to_plugin_log_dir (optional): Specifies the absolute path to the
directory where the plug-in's logs are located.
For
example:EGO_SEC_CONF=/EGOShare/kernel/conf,600,ERROR,/opt/EGO/kernel/log
- EGO_SEC_KRB_SERVICENAME: Specify the Kerberos principal for the
authentication server, which by default is
vemkd/${host}
. You can specify the
service principal as a cluster-wide principal or a host-based principal:
- For a cluster-wide principal, use a valid Kerberos principal name. For
example:
EGO_SEC_KRB_SERVICENAME=abc123service
While you can include the
Kerberos realm for a cluster-wide principal, it is not required. It is good practice to define the
realm for the principal name only in the sec_ego_gsskrb.conf file.
- For a host-based principal, use the keyword
${host}
to replace the host name in
the Kerberos principal. For
example:EGO_SEC_KRB_SERVICENAME=abc123service/${host}
-
Define the following parameters in the $EGO_CONFDIR/sec_ego_gsskrb.conf
file:
- REALM: Specify the Kerberos realm, which is used as the realm of both the
user principal and the service principal. For example:
REALM=AD1.COM
- KRB5_KTNAME: Specify the absolute path to the keytab file containing one or
more keys for the service principal, which is defined in the
EGO_SEC_KRB_SERVICENAME parameter. For
example:
KRB5_KTNAME=/tmp/service.keytab
- KERBEROS_ADMIN: Specify the Kerberos principal that will map to the user
name of the built-in cluster administrator (Admin). Ensure that all
management hosts use the same value. For
example:
KERBEROS_ADMIN=egoadmin
While you can include the Kerberos realm in
the value, it is not required. It is good practice to define the realm only in the
sec_ego_gsskrb.conf file.
Important: When you
access the cluster from the cluster management console, you cannot log in directly
as the KERBEROS_ADMIN user. Instead, when you log in as the cluster
administrator, use the Admin user name and the password of the principal
defined by KERBEROS_ADMIN.
- KINITDIR: Specify the location of the MIT kinit tool,
which by default is /usr/bin. For
example:
KINITDIR=/usr/bin
- ENABLE_AD_USERS_MANAGE: Specify whether AD users must be added
automatically to the EGO user namespace. Valid values are Y or N.
For example:
ENABLE_AD_USERS_MANAGE=Y
If you specify
Y, AD users are automatically added to the EGO namespace. If you specify
N, you must manually add AD users to the EGO user namespace, either from the
egosh user add command or from the cluster management console. This parameter is optional
and is not defined by default.
-
Modify the configuration on all compute hosts in the cluster.
-
On each compute host, define the EGO_SEC_PLUGIN,
EGO_SEC_CONF, and EGO_SEC_KRB_SERVICENAME parameters in
$EGO_CONFDIR/ego.conf, as configured on management hosts in step 2.a. For example:
EGO_SEC_PLUGIN=sec_ego_gsskrb
EGO_SEC_CONF=/opt/EGO/kernel/conf,600,ERROR,/opt/EGO/kernel/log
EGO_SEC_KRB_SERVICENAME=abc123service
-
Define the REALM and KINITDIR parameters in the
$EGO_CONFDIR/sec_ego_gsskrb.conf file, as configured on management hosts in
step 2.b.
Optionally, define the KERBEROS_ADMIN parameter. For example:
REALM=AD1.COM
KINITDIR=/usr/bin
KERBEROS_ADMIN=egoadmin
If you define the KERBEROS_ADMIN parameter on compute hosts, use the same
value as on management hosts. When this parameter is defined on compute hosts, you can log on to the
cluster as the Admin user with the password of the
KERBEROS_ADMIN principal (for example, egoadmin
). When this
parameter is not defined on compute hosts and its value on management hosts is not
Admin, you cannot use the Admin user to log on from
the compute host. To log on as the Admin
user, you must use the principal defined
by the KERBEROS_ADMIN parameter on management hosts (egoadmin
in this example) as the user name.
-
Modify the configuration on all client hosts in the cluster.
-
On each client host, modify the EGO_SEC_PLUGIN,
EGO_SEC_CONF, and EGO_SEC_KRB_SERVICENAME parameters in
$SOAM_HOME/conf/ego.conf as configured on compute hosts in step 3.a. For
example:
EGO_SEC_PLUGIN=sec_ego_gsskrb
EGO_SEC_CONF=/opt/SymphonyClient/Client73.2/conf,600,ERROR,/opt/SymphonyClient/Client73.2/log
EGO_SEC_KRB_SERVICENAME=abc123service
-
Define the sec_ego_gsskrb.conf file as configured on compute hosts in step
3.b. For
example:
REALM=AD1.COM
KINITDIR=/usr/bin
KERBEROS_ADMIN=egoadmin
-
Start the cluster and enable applications:
egosh ego start
soamcontrol app enable appName
What to do next
Use Kerberos authentication to log on to your hosts and run workload. See Using Kerberos authentication to access a Linux cluster (AD as KDC).