How To Configure Microsoft AD Server as the KDC
For each DSE node in the cluster, do the following:
1.Add a regular/normal AD User Account that will map to the dse node. Example: AD User Account 'dsenode1' can be used for the first dse node in the cluster.
2.Map the AD account to the DSE service principals, and create a keytab for each service principal:
PS C:\Users\Administrator> ktpass -princ dse_automaton/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN +rndPass -ma
puser dsenode1 -crypto ALL -pType KRB5_NT_PRINCIPAL -out dse_automaton_dsenode1.keytab
Targeting domain controller: QA-WIN2012.qawin2012.datastax.lan
Successfully mapped dse_automaton/dsehost1.datastax.lan to dsenode1.
Password successfully set!
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to dse_automaton_dsenode1.keytab:
Keytab version: 0x502
keysize 93 dse_automaton/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x
1 (DES-CBC-CRC) keylength 8 (0x7570c8f140c47c3b)
keysize 93 dse_automaton/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x
3 (DES-CBC-MD5) keylength 8 (0x7570c8f140c47c3b)
keysize 101 dse_automaton/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0
x17 (RC4-HMAC) keylength 16 (0x2f2f18d458668fe62f6b358ffe430f7a)
keysize 117 dse_automaton/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0
x12 (AES256-SHA1) keylength 32 (0x2de2fa3232e825a6016f2be5dc505322a8f29c16ae1b8e716b395b22d7a75a37)
keysize 101 dse_automaton/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0
x11 (AES128-SHA1) keylength 16 (0x1d712b04eabced6028b925e466d91ce0)
PS C:\Users\Administrator> ktpass -princ HTTP/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN +rndPass -mapuser dsenode1 -crypto ALL -pType KRB5_NT_PRINCIPAL -out HTTP_dsenode1.keytab -setupn -setpass
Targeting domain controller: QA-WIN2012.qawin2012.datastax.lan
Successfully mapped HTTP/dsehost1.datastax.lan to dsenode1.
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to HTTP_dsenode1.keytab:
Keytab version: 0x502
keysize 84 HTTP/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x1 (DES-CB
C-CRC) keylength 8 (0xba19753d1a26e6dc)
keysize 84 HTTP/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x3 (DES-CB
C-MD5) keylength 8 (0xba19753d1a26e6dc)
keysize 92 HTTP/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x17 (RC4-H
MAC) keylength 16 (0xf4759cc0893590f92f1050598d4c7ec6)
keysize 108 HTTP/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x12 (AES2
56-SHA1) keylength 32 (0x1e882232b81dc6eb3c8cf709f137ad7da600ad18f65d134bf43c5790946148b2)
keysize 92 HTTP/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x11 (AES12
8-SHA1) keylength 16 (0x5916c8e9ef1e0ea3d45abd171922f268)
where:
- +rndPass creates a random password for the principal user name that is specified by the -princ parameter
- QAWIN2012.DATASTAX.LAN is the AD domain name (the domain that is managed by the AD Server)
- dsehost1.datastax.lan is the FQDN of the dse node
- "-setupn -setpass" in the last part of the 2nd ktpass command is needed to avoid invalidating the first mapping.
- dse_automaton is the primary part of the kerberos service principal used in the host's dse.yaml file (see below)
kerberos_options:
keytab: /var/tmp/dse.keytab
service_principal: dse_automaton/_HOST@QAWIN2012.DATASTAX.LAN
http_principal: HTTP/_HOST@QAWIN2012.DATASTAX.LAN
qop: auth
Notice the realm names in the kerberos_options settings above are QAWIN2012.DATASTAX.LAN. Since MS AD Server will be the KDC, the realm name is the windows domain name.
3.scp the keytabs generated above to the dse node for which they were generated.
4.Merge the keytabs into a single keytab using ktutil:
# ktutil
ktutil: read_kt dse_automaton_dsenode1.keytab
ktutil: read_kt HTTP_dsenode1.keytab
ktutil: l
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 4 dse_automaton/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN
2 4 dse_automaton/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN
3 4 dse_automaton/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN
4 4 dse_automaton/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN
5 4 dse_automaton/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN
6 4 HTTP/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN
7 4 HTTP/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN
8 4 HTTP/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN
9 4 HTTP/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN
10 4 HTTP/dsehost1.datastax.lan@QAWIN2012.DATASTAX.LAN
ktutil: write_kt dse_AD2.keytab
ktutil: q
4b.Change ownership of the resulting keytab file (dse_AD2.keytab in the example above) to cassandra:cassandra (since the cassandra linux user is the owner of the dse process)
5.Point to the new keytab (created in step 4 above) in the node's dse.yaml:
kerberos_options:
# keytab: /var/tmp/dse.keytab
keytab: /home/automaton/dse_AD2.keytab
service_principal: dse_automaton/_HOST@QAWIN2012.DATASTAX.LAN
http_principal: HTTP/_HOST@QAWIN2012.DATASTAX.LAN
qop: auth
6.Modify the /etc/krb5.conf on the dse node to (1) point to the AD Server as the KDC Server and (2) use the Windows domain name as the realm name:
default_realm = QAWIN2012.DATASTAX.LAN
QAWIN2012.DATASTAX.LAN = {
kdc = <AD_SERVER_IP>
admin_server = <AD_SERVER_IP>
7.In the dse node's dse.yaml file, configure the authentication options as follows:
authentication_options:
enabled: true
default_scheme: kerberos
other_schemes:
- internal
scheme_permissions: true
allow_digest_with_kerberos: true
plain_text_without_ssl: warn
transitional_mode: disabled
Notice that "ldap" is not included in the authentication schemes listed in the authentication options section shown above. That is intentional. Here, we are using kerberos to authenticate ldap users. We are not using ldap to authenticate ldap users. And, so, that is why we do no list ldap as an authentication scheme to use here.
8.To use the AD Server as the KDC, you have to use AD users to authenticate. So, on the dse node, create a linux user account whose name matches an existing AD username (this article will use AD User 'thatran'). Create the linux user account as usual (using "adduser" or "useradd", whatever you normally use).
9.To use cqlsh with Kerberos, there must exist a properly configured ~/.cassandra/cqlshrc file:
$ cat /home/thatran/.cassandra/cqlshrc
[kerberos]
hostname = dsehost1.datastax.lan
service = dse_automaton
[connection]
hostname = dsehost1.datastax.lan
;the below connection factory is not needed starting with dse v5.1
[connection]
factory = cqlshlib.kerberos.kerberos_transport_factory
NOTE: Both hostnames above should be the FQDN of the dse node where dse is running, not the FQDN of the kerberos server or KDC Server.
Do the following just once, from any dse node in the the cluster:
10.Login to cqlsh as the cassandra superuser and create a cassandra role for your AD user (in order for the user to be able to login). The role should have "login=true" with no password set:
$ cqlsh -u cassandra -p cassandra
Connected to TT_512_kerbAD at dsehost1.datastax.lan:9042.
[cqlsh 5.0.1 | Cassandra 3.11.0.1758 | DSE 5.1.2 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cassandra@cqlsh> create role 'thatran@QAWIN2012.DATASTAX.LAN' with login=true;
TO TEST:
automaton@dsehost1:/etc/dse$ su - thatran
Password:
thatran@dsehost1:~$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1005)
thatran@dsehost1:~$ kinit
Password for thatran@QAWIN2012.DATASTAX.LAN:
thatran@dsehost1:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1005
Default principal: thatran@QAWIN2012.DATASTAX.LAN
Valid starting Expires Service principal
08/29/2017 18:40:40 08/30/2017 04:40:40 krbtgt/QAWIN2012.DATASTAX.LAN@QAWIN2012.DATASTAX.LAN
renew until 08/30/2017 18:40:32
thatran@dsehost1:~$ cqlsh
Connected to TT_512_kerbAD at dsehost1.datastax.lan:9042.
[cqlsh 5.0.1 | Cassandra 3.11.0.1758 | DSE 5.1.2 | CQL spec 3.4.4 | Native protocol v4]
Use HELP for help.
cqlsh>
NOTE: When you "su - thatran", you need to give the password assigned to the linux user. For the kinit password, you give the AD user's password.