Previous topic

EOS admin configuration

Next topic

Namespace in QuarkDB configuration

This Page

Enabling kerberos security

The initial requirement is that your local LINUX accounts correspond to kerberos principal names.

To start install krb5 packages

yum install krb5-workstation

Then you need to ask kerberos admin to create “host/<mgm hostname>@EXAMPLE.COM”, where EXAMPE.COM is your REALM (like CERN.CH, SASKE.SK, ...) and create a keytab file, for example krb5.keytab. The keytab file is stored under /etc/krb5.keytab on the MGM node. To test it you can use ktutil command. The following example is showing keytab contents to be used on MGM host eosfoo.bar.ch@BAR.CH

[root@eosfoo.bar.ch ~]# ktutil
ktutil:
ktutil:  read_kt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2 host/eosfoo.bar.ch@BAR.CH
   2    2 host/eosfoo.bar.ch@BAR.CH
   3    2 host/eosfoo.bar.ch@BAR.CH
   4    2 host/eosfoo.bar.ch@BAR.CH

On the MGM in /etc/xrd.cf.mgm you have to enable kerberos 5 authentication

sec.protocol krb5 host/<host>@EXAMPLE.COM

sec.protbind * only krb5 sss unix

To enable krb5 security mapping of user names you do

eos -b vid enable krb5