Configuring Kerberos authentication on Linux hosts

When Microsoft Active Directory (AD) serves as the KDC in your cluster, configure Kerberos user authentication through the GSS-Kerberos security plug-in on Linux® hosts in your cluster.

Before you begin

Ensure that you meet the prerequisites for Kerberos authentication outlined in Prerequisites (Microsoft AD).

If you want AD users to be automatically loaded to IBM Spectrum Symphony (by setting the ENABLE_AD_USERS_MANAGE parameter to Y), the use_fully_qualified_names parameter in the /etc/sssd/sssd.conf file must be set to False. Ensure also that the AD domain users are not already added to IBM Spectrum Symphony.

About this task

To enable Kerberos authentication with AD in the IBM Spectrum Symphony cluster, you must configure all your Linux hosts (management, compute, and client) to use the sec_ego_gsskrb plug-in.

This task uses the following examples to illustrate a basic Kerberos scenario; ensure that you modify this task as it applies to your production cluster:
  • Your environment includes two AD domains: AD1.COM and AD2.COM. An external two-way trust is established between them and both domains are configured in the Kerberos configuration file (/etc/krb5.conf). The realms corresponding to the two domains are AD1.COM and AD2.COM.
    • Management and compute hosts are joined to AD1.COM.
    • Linux client host linuxclient1 is joined to AD1.COM; Linux client host linuxclient2 is joined to AD2.COM. These hosts can be Developer Edition hosts that serve as client hosts.
  • The service principal for the authentication server, called abc123service, is created in AD1.COM and it is added to the /tmp/service.keytab on the primary host.
  • The AD1.COM and AD2.COM domains include the following user accounts:
    • The egoadmin user account in AD1.COM, which maps to the built-in Admin cluster administrator account in IBM Spectrum Symphony.
    • The ad1tester user account in AD1.COM.
    • The ad2tester user account in AD2.COM.

Procedure

  1. Log on to any management host in the cluster as cluster administrator and shut down the cluster:
    egosh user logon –u Admin –x Admin
    soamcontrol app disable all
    egosh service stop all
    egosh ego shutdown all
  2. Modify the security configuration on all management hosts in your cluster.
    1. On each management host, modify the following parameters in the $EGO_CONFDIR/ego.conf file:
      • EGO_SEC_PLUGIN: Set to Kerberos authentication through the GSS-Kerberos plug-in.
        EGO_SEC_PLUGIN=sec_ego_gsskrb
      • EGO_SEC_CONF: Specify the plug-in's configuration in the format path_to_plugin_conf_dir,created-ttl,plugin_log_level,path_to_plugin_log_dir, where:
        • path_to_plugin_conf_dir (required): Specifies the absolute path to the sec_ego_gsskrb.conf file (which is defined in the next step).
        • created_ttl (optional): Specifies a time-to-live duration for the authentication token sent from the client to the server. Valid value is higher than 0 but lower than 1440 minutes (24 hours). The default is 600 minutes (10 hours).
        • plugin_log_level (optional): Specifies the log level for the plug-in. Valid values are DEBUG, INFO, WARN, and ERROR. As a best practice, set the log level as ERROR or WARN. A lower level causes too many messages to be logged, making it harder to troubleshoot if required.
        • path_to_plugin_log_dir (optional): Specifies the absolute path to the directory where the plug-in's logs are located.
        For example:
        EGO_SEC_CONF=/EGOShare/kernel/conf,600,ERROR,/opt/EGO/kernel/log
      • EGO_SEC_KRB_SERVICENAME: Specify the Kerberos principal for the authentication server, which by default is vemkd/${host}. You can specify the service principal as a cluster-wide principal or a host-based principal:
        • For a cluster-wide principal, use a valid Kerberos principal name. For example:
          EGO_SEC_KRB_SERVICENAME=abc123service

          While you can include the Kerberos realm for a cluster-wide principal, it is not required. It is good practice to define the realm for the principal name only in the sec_ego_gsskrb.conf file.

        • For a host-based principal, use the keyword ${host} to replace the host name in the Kerberos principal. For example:
          EGO_SEC_KRB_SERVICENAME=abc123service/${host}
    2. Define the following parameters in the $EGO_CONFDIR/sec_ego_gsskrb.conf file:
      • REALM: Specify the Kerberos realm, which is used as the realm of both the user principal and the service principal. For example:
        REALM=AD1.COM
      • KRB5_KTNAME: Specify the absolute path to the keytab file containing one or more keys for the service principal, which is defined in the EGO_SEC_KRB_SERVICENAME parameter. For example:
        KRB5_KTNAME=/tmp/service.keytab
      • KERBEROS_ADMIN: Specify the Kerberos principal that will map to the user name of the built-in cluster administrator (Admin). Ensure that all management hosts use the same value. For example:
        KERBEROS_ADMIN=egoadmin

        While you can include the Kerberos realm in the value, it is not required. It is good practice to define the realm only in the sec_ego_gsskrb.conf file.

        Important: When you access the cluster from the cluster management console, you cannot log in directly as the KERBEROS_ADMIN user. Instead, when you log in as the cluster administrator, use the Admin user name and the password of the principal defined by KERBEROS_ADMIN.
      • KINITDIR: Specify the location of the MIT kinit tool, which by default is /usr/bin. For example:
        KINITDIR=/usr/bin
      • ENABLE_AD_USERS_MANAGE: Specify whether AD users must be added automatically to the EGO user namespace. Valid values are Y or N. For example:
        ENABLE_AD_USERS_MANAGE=Y

        If you specify Y, AD users are automatically added to the EGO namespace. If you specify N, you must manually add AD users to the EGO user namespace, either from the egosh user add command or from the cluster management console. This parameter is optional and is not defined by default.

  3. Modify the configuration on all compute hosts in the cluster.
    1. On each compute host, define the EGO_SEC_PLUGIN, EGO_SEC_CONF, and EGO_SEC_KRB_SERVICENAME parameters in $EGO_CONFDIR/ego.conf, as configured on management hosts in step 2.a. For example:
      EGO_SEC_PLUGIN=sec_ego_gsskrb
      EGO_SEC_CONF=/opt/EGO/kernel/conf,600,ERROR,/opt/EGO/kernel/log
      EGO_SEC_KRB_SERVICENAME=abc123service
    2. Define the REALM and KINITDIR parameters in the $EGO_CONFDIR/sec_ego_gsskrb.conf file, as configured on management hosts in step 2.b. Optionally, define the KERBEROS_ADMIN parameter. For example:
      REALM=AD1.COM
      KINITDIR=/usr/bin
      KERBEROS_ADMIN=egoadmin

      If you define the KERBEROS_ADMIN parameter on compute hosts, use the same value as on management hosts. When this parameter is defined on compute hosts, you can log on to the cluster as the Admin user with the password of the KERBEROS_ADMIN principal (for example, egoadmin). When this parameter is not defined on compute hosts and its value on management hosts is not Admin, you cannot use the Admin user to log on from the compute host. To log on as the Admin user, you must use the principal defined by the KERBEROS_ADMIN parameter on management hosts (egoadmin in this example) as the user name.

  4. Modify the configuration on all client hosts in the cluster.
    1. On each client host, modify the EGO_SEC_PLUGIN, EGO_SEC_CONF, and EGO_SEC_KRB_SERVICENAME parameters in $SOAM_HOME/conf/ego.conf as configured on compute hosts in step 3.a. For example:
      EGO_SEC_PLUGIN=sec_ego_gsskrb
      EGO_SEC_CONF=/opt/SymphonyClient/Client73.2/conf,600,ERROR,/opt/SymphonyClient/Client73.2/log
      EGO_SEC_KRB_SERVICENAME=abc123service
    2. Define the sec_ego_gsskrb.conf file as configured on compute hosts in step 3.b. For example:
      REALM=AD1.COM
      KINITDIR=/usr/bin
      KERBEROS_ADMIN=egoadmin
  5. Start the cluster and enable applications:
    egosh ego start 
    soamcontrol app enable appName

What to do next

Use Kerberos authentication to log on to your hosts and run workload. See Using Kerberos authentication to access a Linux cluster (AD as KDC).