Chapter 9. Creating and Using a Centralized Kerberos Credential Cache

As a system administrator, you can centrally authenticate to a Kerberos server to initialize the credential cache. You can also ensure that applications running in containers are able to use this central cache to authenticate without requiring to manage keytab files, authentication, or renewal separately.

9.1. Prerequisites

  • To use the services provided by the SSSD container from other containers, the client container’s rhel7 base image must include the sssd-client package. However, the default rhel7 base image does not include this package.

    If you need to use the SSSD services from other containers, create your own image for the client container based on the default rhel7 base image and include sssd-client. For details, see Creating Docker images.

9.2. Joining an Active Directory Domain Using an SSSD Container

This procedure describes how to install an SSSD container and configure it to join the Atomic Host system to Active Directory.

Procedure

  1. Save the password of a user allowed to enroll systems to the Active Directory domain, such as the Administrator, in the /etc/sssd/realm-join-password file on the Atomic Host system:

    # echo <password> > /etc/sssd/realm-join-password

    Providing the password in the file is necessary because the realm join command does not accept the password as a command-line parameter.

    Note

    If you want to specify a custom container image name later with the atomic install command to use instead of the default name (sssd), add the custom name to the path of the file: /etc/sssd/<custom_container_name>/realm-join-password.

  2. Start the sssd container installation by using the atomic install command, and specify the realm that you want to join. If you are using the default Administrator user account for the operation:

    # atomic install --opt1='--dns=<DNS_server_IP> --dns-search=<DNS_domain> --hostname=<host_name> -e SSSD_CONTAINER_TYPE=application --net=default' rhel7/sssd realm join -v <ad.example.com>
    docker run --rm=true --privileged --net=host -v /:/host -e NAME=sssd -e IMAGE=rhel7/sssd -e HOST=/host rhel7/sssd /bin/install.sh realm join -v ad.example.com
    Initializing configuration context from host ...
     * Resolving: _ldap._tcp.ad.example.com
     * Performing LDAP DSE lookup on: 192.168.122.105
    ...
    Service sssd.service configured to run SSSD container.

    If you are using another user account, specify it with the --user option:

    # atomic install rhel7/sssd realm join --user <user_name> <ad.example.com>
  3. Start SSSD in the container by using one of the following commands:

    # atomic run rhel7/sssd
    # systemctl start sssd
  4. Optional. Confirm that the container is running:

    # docker ps
    CONTAINER ID        IMAGE
    5859b9366f0f        rhel7/sssd
  5. Optional. On the Atomic Host system, confirm that SSSD resolves identities from the Active Directory domain:

    # id administrator@<ad.example.com>
    uid=1397800500(administrator@ad.example.com) gid=1397800513(domain users@ad.example.com)

Additional Resources

9.3. Authenticating to SSSD Running in a Container

To authenticate to a Kerberos server using SSSD that runs in a container:

  1. Pass the kinit option to the docker exec command. For example, to authenticate as the administrator user:

    # docker exec -i <container_name> kinit administrator
    Password for administrator@<DOMAIN>:
  2. Optionally, verify that your Kerberos credential cache is stored in the Kerberos Credential Manager (KCM):

    # docker exec -i <container_name> klist
    Ticket cache: KEYRING:persistent:0:0
    Default principal: Administrator@<DOMAIN>
    
    Valid starting     Expires            Service principal
    08/11/17 11:51:06  08/11/17 21:51:06  krbtgt/<DOMAIN>@<DOMAIN>
    	renew until 08/18/17 11:51:03

9.4. Using the SSSD Kerberos Cache in a Different Container

To make a Kerberos cache from an SSSD container available to other container applications, pass the /var/lib/sssd_container/<sssd-container-name>/client/etc/krb5.conf.d and /var/lib/sssd_container/<sssd-container-name>/client/var/lib/sss/pipes/ directories as volumes to the application container. For example:

# docker run --rm --name=<application_container> -v=/var/lib/sssd_container/<sssd-container-name>/client/etc/krb5.conf.d:/etc/krb5.conf.d/ -v=/var/lib/sssd_container/<sssd-container-name>/client/var/lib/sss/pipes/:/var/lib/sss/pipes/ docker-registry.engineering.redhat.com/idmqe/sssd-client-test:2.0 klist

The previous example executes the klist command in the container and lists the Kerberos tickets managed by the SSSD container.

Note

If you delete the Kerberos ticket from the cache using the kdestroy utility, the application containers can no longer use the ticket.