Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
Chapter 9. Creating and Using a Centralized Kerberos Credential Cache
As a system administrator, you can centrally authenticate to a Kerberos server to initialize the credential cache. You can also ensure that applications running in containers are able to use this central cache to authenticate without requiring to manage keytab files, authentication, or renewal separately.
9.1. Prerequisites
To use the services provided by the SSSD container from other containers, the client container’s rhel7 base image must include the
sssd-clientpackage. However, the default rhel7 base image does not include this package.If you need to use the SSSD services from other containers, create your own image for the client container based on the default rhel7 base image and include
sssd-client. For details, see Creating Docker images.
9.2. Joining an Active Directory Domain Using an SSSD Container
This procedure describes how to install an SSSD container and configure it to join the Atomic Host system to Active Directory.
Procedure
Save the password of a user allowed to enroll systems to the Active Directory domain, such as the Administrator, in the
/etc/sssd/realm-join-passwordfile on the Atomic Host system:# echo <password> > /etc/sssd/realm-join-passwordProviding the password in the file is necessary because the
realm joincommand does not accept the password as a command-line parameter.NoteIf you want to specify a custom container image name later with the
atomic installcommand to use instead of the default name (sssd), add the custom name to the path of the file:/etc/sssd/<custom_container_name>/realm-join-password.Start the sssd container installation by using the
atomic installcommand, and specify the realm that you want to join. If you are using the default Administrator user account for the operation:# atomic install --opt1='--dns=<DNS_server_IP> --dns-search=<DNS_domain> --hostname=<host_name> -e SSSD_CONTAINER_TYPE=application --net=default' rhel7/sssd realm join -v <ad.example.com> docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh realm join -v ad.example.com Initializing configuration context from host ... * Resolving: _ldap._tcp.ad.example.com * Performing LDAP DSE lookup on: 192.168.122.105 ... Service sssd.service configured to run SSSD container.If you are using another user account, specify it with the
--useroption:# atomic install rhel7/sssd realm join --user <user_name> <ad.example.com>Start SSSD in the container by using one of the following commands:
# atomic run rhel7/sssd# systemctl start sssdOptional. Confirm that the container is running:
# docker ps CONTAINER ID IMAGE 5859b9366f0f rhel7/sssdOptional. On the Atomic Host system, confirm that SSSD resolves identities from the Active Directory domain:
# id administrator@<ad.example.com> uid=1397800500(administrator@ad.example.com) gid=1397800513(domain users@ad.example.com)
Additional Resources
- For details on the realmd utility, see Using realmd to Connect to an Active Directory Domain in the Windows Integration Guide or the realm(8) man page.
9.3. Authenticating to SSSD Running in a Container
To authenticate to a Kerberos server using SSSD that runs in a container:
Pass the
kinitoption to thedocker execcommand. For example, to authenticate as the administrator user:# docker exec -i <container_name> kinit administrator Password for administrator@<DOMAIN>:Optionally, verify that your Kerberos credential cache is stored in the Kerberos Credential Manager (KCM):
# docker exec -i <container_name> klist Ticket cache: KEYRING:persistent:0:0 Default principal: Administrator@<DOMAIN> Valid starting Expires Service principal 08/11/17 11:51:06 08/11/17 21:51:06 krbtgt/<DOMAIN>@<DOMAIN> renew until 08/18/17 11:51:03
9.4. Using the SSSD Kerberos Cache in a Different Container
To make a Kerberos cache from an SSSD container available to other container applications, pass the /var/lib/sssd_container/<sssd-container-name>/client/etc/krb5.conf.d and /var/lib/sssd_container/<sssd-container-name>/client/var/lib/sss/pipes/ directories as volumes to the application container. For example:
# docker run --rm --name=<application_container> -v=/var/lib/sssd_container/<sssd-container-name>/client/etc/krb5.conf.d:/etc/krb5.conf.d/ -v=/var/lib/sssd_container/<sssd-container-name>/client/var/lib/sss/pipes/:/var/lib/sss/pipes/ docker-registry.engineering.redhat.com/idmqe/sssd-client-test:2.0 klist
The previous example executes the klist command in the container and lists the Kerberos tickets managed by the SSSD container.
If you delete the Kerberos ticket from the cache using the kdestroy utility, the application containers can no longer use the ticket.
