Setting Up Kerberos Authentication

Kerberos information is configured on a per-mount target basis using the following steps.

Note

These steps assume that you're using LDAP authorization to enable per-user Kerberos authentication. Anonymous access with Kerberos authentication is possible without the LDAP requirements and corresponding steps. For more information, see LDAP Lookups and Anonymous Access.
  1. Ensure that you have the LDAP and Kerberos infrastructure required. See Prerequisites for more information.
    1. If the default VCN resolver isn't used, add forward and reverse name records to the customer-managed DNS server.
    2. Add the mount target principal to the KDC and extract a binary keytab from KDC. The steps to extract a keytab differ based on the type of KDC in use (Linux based or Active Directory).
  2. Convert the binary Kerberos keytab to Base64, then use it to create a secret in OCI Vault. Ensure that you select Base64 as the format of the secret when you paste in the converted keytab. For more information, see Overview of Vault.
  3. Upload the LDAP password to OCI Vault as a secret in plain-text format. For more information, see Overview of Vault.
  4. Add the required IAM policies.
  5. Create two outbound connectors to contact the LDAP server.
    Note

    Using LDAP for authorization requires at least one outbound connector. A second outbound connector can be used as a backup or for failover. See LDAP Lookups and Anonymous Access for details on how File Storage responds when it can't reach an LDAP server.
  6. Add LDAP configuration details to a mount target.
  7. Add Kerberos authentication details to the same mount target and validate the keytab.
    Note

    Kerberos configuration isn't shared across mount targets.
  8. Verify that the mount target used for Kerberos authentication has:
    • A fully qualified domain name (FQDN) that matches the instance of the Kerberos keytab principal. For example: nfs/<FQDN_of_mount_target>@<REALM>.
      Note

      When the default Internet and VCN Resolver, the File Storage service constructs a FQDN by combining the mount target's hostname with the FQDN of the subnet the mount target is located in. For more information, see Managing Mount Targets.
    • A FQDN that was added to the DNS server with both forward and reverse lookup.
  9. Create or update a file system using the LDAP and Kerberos-enabled mount target.
  10. Add a Kerberos-enabled export to the mount target. See Use Kerberos for Authentication for an example.
  11. Mount the file system. For more information, see Mounting Kerberos-enabled File Systems.
    Note

    Use the FQDN of the mount target instead of the IP address.

Enable Kerberos Authentication for a Mount Target

Configure Kerberos authentication for a File Storage mount target.

Note

When you update an existing mount target to use Kerberos, it can take some time for File Storage to fully reflect the updates.