Home > Storage > PowerScale (Isilon) > Product Documentation > Management and Migration > Dell PowerScale: Integrating OneFS with Kerberos Environment for Protocols > Kerberos and OneFS
This document focuses on SMB and NFS integration with the Kerberos environment. For the HDFS protocol used in a Hadoop solution, see PowerScale OneFS with Hadoop Kerberos and Identity Management Approaches.
Most authentication providers in OneFS provide two functions:
The Kerberos provider only provides the authentication function. It has no concept of identity to contain user information. A Kerberos server can be thought of as a very simple key/value database where keys are names and values are secret keys (passwords). OneFS supports Microsoft Kerberos through Microsoft Active Directory authentication provider and MIT Kerberos authentication providers on a OneFS cluster.
In the OneFS implementation, MIT Kerberos works independently of Active Directory (AD) and supports the NFS, HDFS, and HTTP protocols.
A user that has been authenticated through MIT Kerberos will need a source for identity. The user may exist anywhere, but it is recommended to store the user in an LDAP server. In this case, the LDAP authentication provider should be set to not perform authentication (--authentication=False).
OneFS provides Microsoft Kerberos authentication using Active Directory (AD) and supports protocols including NFS, SMB, HDFS, and HTTP. The AD service is composed of LDAP, the Microsoft version of Kerberos, and DNS. When adding an AD to a OneFS cluster as an authentication provider, it can act as a Kerberos authentication server for authentication and an LDAP server for identity management at the same time. Microsoft Kerberos is available automatically when configuring the AD provider.
A service principal name (SPN) represents a service within a cluster and has a specific secret key stored in the Kerberos server. The SPN identifies not only the user or service, but also the realm to which the entity belongs. A SPN is formed with the identifier and the realm: <identifier>@<KERBEROS_REALM>.
In OneFS, SPNs are created based on the SmartConnect zone name and the cluster FQDN hostname. If the SmartConnect zone names are changed, administrators should update the SPNs to apply the changes.
In a Kerberos environment, if more than one Kerberos realm is implemented, clients and servers must know which realm they should contact according to service FQDN. The following example defines the domain to realm mapping in the /etc/krb5.conf file:
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
The configuration contains two mappings. The first mapping example.com = EXAMPLE.COM indicates that a system with the exact name example.com belongs to the EXAMPLE.COM realm. The second mapping .example.com = EXAMPLE.COM indicates that any system name in the example.com DNS domain belongs to the EXAMPLE.COM realm.
OneFS configures the mapping automatically for AD providers. When using MIT Kerberos in OneFS, OneFS provides the following command to create the domain to realm mapping:
#isi auth krb5 domain create --realm=EXAMPLE.COM --domain=.example.com