Setting Up Kerberos Authentication

Kerberos information is configured on a per-mount target basis using the following steps.

Note

These steps assume that you're using LDAP authorization to enable per-user Kerberos authentication. Anonymous access with Kerberos authentication is possible without the LDAP requirements and corresponding steps. For more information, see LDAP Lookups and Anonymous Access.
  1. Ensure that you have the LDAP and Kerberos infrastructure required. See Prerequisites for more information.
    1. If the default VCN resolver isn't used, add forward and reverse name records to the customer-managed DNS server.
    2. Add the mount target principal to the KDC and extract a binary keytab from KDC. The steps to extract a keytab differ based on the type of KDC in use (Linux based or Active Directory).
  2. Convert the binary Kerberos keytab to Base64, then use it to create a secret in OCI Vault. Ensure that you select Base64 as the format of the secret when you paste in the converted keytab. For more information, see Overview of Vault.
  3. Upload the LDAP password to OCI Vault as a secret in plain-text format. For more information, see Overview of Vault.
  4. Add the required IAM policies.
  5. Create two outbound connectors to contact the LDAP server.
    Note

    Using LDAP for authorization requires at least one outbound connector. A second outbound connector can be used as a backup or for failover. See LDAP Lookups and Anonymous Access for details on how File Storage responds when it can't reach an LDAP server.
  6. Add LDAP configuration details to a mount target.
  7. Add Kerberos authentication details to the same mount target and validate the keytab.
    Note

    Kerberos configuration isn’t shared across mount targets.
  8. Verify that the mount target used for Kerberos authentication has:
    • A fully qualified domain name (FQDN) that matches the instance of the Kerberos keytab principal. For example: nfs/<FQDN_of_mount_target>@<REALM>.
      Note

      When the default Internet and VCN Resolver, the File Storage service constructs a FQDN by combining the mount target's hostname with the FQDN of the subnet the mount target is located in. For more information, see Managing Mount Targets.
    • A FQDN that was added to the DNS server with both forward and reverse lookup.
  9. Create or update a file system using the LDAP and Kerberos-enabled mount target.
  10. Add a Kerberos-enabled export to the mount target. See Use Kerberos for Authentication for an example.
  11. Mount the file system. For more information, see Mounting Kerberos-enabled File Systems.
    Note

    Use the FQDN of the mount target instead of the IP address.

Enable Kerberos Authentication for a Mount Target

Configure Kerberos authentication for a File Storage mount target.

Note

When you update an existing mount target to use Kerberos, it can take some time for File Storage to fully reflect the updates.
    1. Open the navigation menu and click Storage. Under File Storage, click Mount Targets.
    2. In the List scope section, under Compartment, select a compartment.
    3. Find the mount target that you're interested in, click the Actions menu (Actions Menu), and then click View details.
    4. Click the NFS tab to view or edit the existing NFS settings for the mount target.
    5. Next to Kerberos, click Manage.
    6. In the Manage Kerberos window, provide the following details:

      • Kerberos realm: Enter the Kerberos realm that this mount target joins.
      • In Keytab information section, provide the following details:
        • Select the Vault that contains the keytab secret you want to use.
        • Select the Keytab Secret.
        • Select the Current keytab Secret version and the Backup keytab Secret version.
        Caution

        Be sure to back up your vaults and keys. Deleting a vault and key otherwise means losing the ability to decrypt any resource or data that the key was used to encrypt. For more information, see Backing Up and Restoring Vaults and Keys.
    7. Click Validate keytab before enabling Kerberos to inspect the contents of the keytab.

      Caution

      An improperly configured keytab can cause NFS clients to lose access to file systems.
    8. Enable Kerberos: Enable this option to use Kerberos. See Using Kerberos Authentication for more information.
    9. Click Save.
  • Use the oci fs mount-target create command with the --kerberos, --idmap-type, and --ldap-idmap options to create a mount target and provide Kerberos and LDAP details.

    oci fs mount-target create --availability-domain <availability_domain> --compartment-id <compartment_id> --subnet-id <subnet_id> --kerberos <file://krb.json> --ldap-idmap <file://ldap.json>

    Use the oci fs mount-target update command with the --kerberos, --idmap-type, and --ldap-idmap options to update an existing mount target with Kerberos and LDAP details.

    oci fs mount-target update --mount-target-id <mount_target_id> --kerberos <file://krb.json> --ldap-idmap <file://ldap.json>

    An example krb.json file follows:

    {
      "currentKeyTabSecretVersion": 1,
      "isKerberosEnabled": true,
      "kerberosRealm": "EXAMPLE.COM",
      "keyTabSecretId": "ocid1.vaultsecret.oc1.eu-frankfurt-1.exampleuniqueID"
    }

    An example ldap.json file follows:

    {
      "cacheLifetimeSeconds": 300,
      "cacheRefreshIntervalSeconds": 300,
      "groupSearchBase": "cn=accounts,dc=example,dc=com",
      "negativeCacheLifetimeSeconds": 300,
      "outboundConnector1Id": "ocid1.outboundconnector.oc1.exampleuniqueID",
      "outboundConnector2Id": "ocid1.outboundconnector.oc1.exampleuniqueID",
      "userSearchBase": "cn=accounts,dc=example,dc=com",
      "schemaType": "RFC2307"
    }

    Use the oci fs mount-target validate-key-tabs command to test the Kerberos keytab that the outbound connector associated with the mount target uses.

    oci fs mount-target validate-key-tabs --mount-target-id <mount_target_id>

    For a complete list of flags and variable options for CLI commands, see the Command Line Reference.

  • Use CreateMountTarget or UpdateMountTarget with the kerberos, idMapType, and ldapIdmap options to create or update a mount target with LDAP and Kerberos details.

    Use ValidateKeyTabs to validate the Kerberos keytab associated with the mount target.

    For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.