Adding users for Kerberos authentication

Add Kerberos principals and Active Directory (AD) users to the IBM® Spectrum Symphony database.

About this task

Kerberos principals and AD users cannot act as consumer users in IBM Spectrum Symphony until they are explicitly added to the EGO user namespace. The only exception is the built-in Admin user account, which is mapped to the AD user or Kerberos principal.

You can add users to IBM Spectrum Symphony from the command line or from the cluster management console. Follow these steps to add users by using the egosh user add command; to add users from the cluster management console, see Creating a user account.

Procedure

  1. Log on to any management or compute host as the cluster administrator. For example:
    egosh user logon -u Admin -x egoadminKDC
  2. Except for the user/principal that is mapped to the Admin user, use the egosh user add command to add all Kerberos principals and AD users to EGO. For example:
    egosh user add -u userKDC -x 111
    egosh user add -u userAD -x 111
    
    When adding users, you are not required to provide the KDC or AD password for the user; any random string is sufficient. Also, do not include the realm or domain. If one AD user is the same as a Kerberos principal except for the domain or realm, they are treated as the same user. For example, egoadmin@EXAMPLE.COM and egoadmin@EXAMPLEAD.COM are the same egoadmin user.
  3. Assign roles for the user accounts by using the egosh user assignrole. For example:
    egosh user assignrole -u userKDC -r CLUSTER_ADMIN
    egosh user assignrole -u userAD -r CONSUMER_ADMIN -p /SymTesting/Symping73.2
    

What to do next

Use Kerberos authentication to log on to your hosts and run workload. See Using Kerberos authentication to access a Linux cluster.