Michael Krotscheck bdd6abcac8 Switched documentation to point to storyboard.

We've migrated this project to storyboard, I'm updating the
documentation links.

Change-Id: Id92552b7be7cd43ca6a3ec91c2c4f330078490b6

2014-11-12 14:48:02 -08:00

1.8 KiB

Raw Blame History

title: Kerberos

Kerberos

Kerberos is a computer network authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. It is the basis for authentication to AFS.

At a Glance

Hosts

kdc*.openstack.org

Puppet

modules/kerberos
modules/openstack_project/manifests/kdc.pp

Projects

http://web.mit.edu/kerberos

Bugs

Resources

OpenStack Realm

OpenStack runs a Kerberos Realm called OPENSTACK.ORG. The realm contains a Key Distribution Center or KDC which is spread across a master and a slave, as well as an admin server which only runs on the master. Most of the configuration is in puppet, but initial setup and the management of user accounts, known as principals, are manual tasks.

Realm Creation

On the first KDC host, the admin needs to run krb5_newrealm by hand. Then admin principals and host principles need to be set up.

Set up host principals for slave propogation:

# execute kadmin.local then run these commands
addprinc -randkey host/kdc01.openstack.org
addprinc -randkey host/kdc02.openstack.org
ktadd host/kdc01.openstack.org
ktadd host/kdc02.openstack.org

Copy the file /etc/krb5.keytab to the second kdc host.

The puppet config sets up slave propogation scripts and cron jobs to run them.

Adding principals

To add an admin principal:

# execute kadmin.local then run these commands
addprinc corvus/admin@OPENSTACK.ORG

1.8 KiB Raw Blame History