Skip to end of banner
Go to start of banner

User Management using Kerberos

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

What is Kerberos?

Kerberos is a network authentication protocol designed to provide secure authentication over insecure networks. It uses symmetric key cryptography to enable secure exchange of credentials between clients and servers, ensuring that both parties can trust each other without transmitting passwords. Kerberos relies on a trusted third-party service called the Key Distribution Center (KDC) to authenticate users and grant them "tickets" for accessing resources on the network.

Why Kerberos in PowerFolder?

In the PowerFolder.config the username and password is stored for the database connection, server-admin can select the ticket-authentication-method using Kerberos.

Preconditions

  • Create a Kerberos account, e.g. powerfolderdbadmin

  • Change the required settings, e.g. timezone, time-server and name server

Installation and Configuration

Please follow the following steps (Linux server):

apt update; apt -y upgrade; root@kerbtest:~# apt install -y krb5-user
cat > /etc/krb5.conf

Change the configuration as follows:

(warning) Please take care of the case-sensitive behaviour of the REALM-entries

i[libdefaults]
default_realm	= EXAMPLE.COM dns_lookup_realm	= false dns_lookup_kdc	= true
forwardable	= yes
proxiable	= true
rdns	= false
permitted_enctypes = aes256-sha1 aes128-sha1

[domain_realm]
.example.com	= EXAMPLE.COM example.com	= EXAMPLE.COM

[realms]
EXAMPLE.COM  =  {
                  kdc = srv1.example.com
                  kdc = srv2.example.com 
                  kdc = srv3.example.com
                  admin_server = srv1.example.com
                }

Update Password

kpasswd powerfolderdbadmin@EXAMPLE.COM

Create Keytab-Files

The hash of the password is saved in this file. The password should be the same in the ADS.

Follow the steps:

ktutil
add_entry -password -p powerfolderdbadmin@EXAMPLE.COM -k 1 -f
list
write_kt ~powerfolderdbadmin/powerfolderdbadmin.keytab 
quit

Check the Keytab-File

klist -keKCt ~powerfolderdbadmin/powerfolderdbadmin.keytab

Check the authentication

kinit -Vkt ~powerfolderdbadm/powerfolderdbadm.keytab powerfolderdbadmin@EXAMPLE.COM

Check the ticket

klist -CeA

Download JDBC Driver for SQL Server

For msSQL Server 2022: https://learn.microsoft.com/en-us/sql/connect/jdbc/download-microsoft-jdbc-driver-for-sql-server?view=sql-server- ver16&viewFallbackFrom=sql-server-ver22

wget -O sqljdbc.tgz https://go.microsoft.com/fwlink/?linkid=2283563 
tar -xvzf sqljdbc.tgz
cp sqljdbc_12.8/enu/jars/mssql-jdbc-12.8.1.jre11.jar ~powerfolderdbadm
chmod 755 ~powerfolderdbadm/mssql-jdbc-12.8.1.jre11.ja
chown powerfolderdbadm:powerfolderdbadm ~powerfolderdbadm/mssql-jdbc-12.8.1.jre11.jar

Setup “Java Authentication and Authorization Service (JAAS)”

https://docs.oracle.com/javase/8/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html

cat > ~powerfolderdbadm/jaas.conf

SQLJDBCDriver { com.sun.security.auth.module.Krb5LoginModule required debug=false
principal=powerfolderdbadmin@EXAMPLE.COM renewTGT="true"
useTicketCache="true" useKeyTab="true"
keyTab="/home/powerfolderdbadm/powerfolderdbadm.keytab" doNotPrompt="true";
};

Update PowerFolder.config

hibernate.connection.password= 
hibernate.connection.username=
hibernate.connection.url=jdbc:sqlserver://sql.example.com:1433;databaseName=powerfolderdb;encrypt=true;integratedSecurity=true;trustServerCertificate=true;authenticationScheme=JavaKerberos;jaasConf igurationName=SQLJDBCDriver

Change PowerFolder.sh

Use the new variable “KERBEROS" in the PowerFolder.sh

KERBEROS="-Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.auth.login.config=/home/powerfolderdbadm/jaas.conf -Djavax.security.auth.useSubjectCredsOnly=false"
RUN_CMD="$RUN_JAVA $JAVA_MEM $JAVA_ADD $JAVA_TMP $KERBEROS -Duser.home=$SERVER_HOME -Dpf.install.dir=$SERVER_INSTALL -cp $CP -server de.dal33t.Start“
  • No labels