Kerberos Configuration

Kerberos is a network protocol that uses secret-key cryptography to authenticate communication between a client and a host machine or service. It uses a Key Distribution Center (KDC) server to issue time-stamped tickets. You can use the appliance to import Kerberos principals and keys created on the KDC, or you can configure principals for the KDC using the appliance, and their keys are automatically created. Although you can use both methods, importing is the best practice and most commonly used. All keys are encrypted using the Kerberos password and stored within the appliance keytab file.

Both Kerberos and Active Directory can be enabled at the same time because they have distinct realms and keys. When both are active, the Kerberos realm is the default.

The appliance can use Kerberos to authenticate users for administrative login and for access to services, including NFS, HTTP, FTP, SFTP, and SSH. An appliance user must have a Kerberos principal by the same name to use Kerberos authentication for these services. Kerberos can also be used to set security for individual shares that use the NFS protocol, as described in Configuring Kerberos Realms for NFS. Since the Kerberos service uses time stamps, configure the appliance NTP service first.

To configure Kerberos, see the following sections:

• Creating a Kerberos Realm - BUI, CLI

• Importing Kerberos Keys - BUI, CLI

• Creating Kerberos Principals and Keys - BUI, CLI

• Deleting Kerberos Principals and Keys - BUI, CLI

• Destroying a Kerberos Realm - BUI, CLI

• Kerberos Service Properties

• Kerberos Properties and Logs

• Configuring Kerberos Realms for NFS