IBM Spectrum Computing Group

[LSF Application Center]How to integrate with Kerberos

  • 1.  [LSF Application Center]How to integrate with Kerberos

    Posted Thu January 07, 2021 11:13 AM
    1. Configure Kerberos on Active Directory domain controller host
    1) On Windows Active Directory server, open "Administrator Tools" window and click "DNS"

    2) Select "New Host"
    4) Add below principals for LSF
    Add new user in Active Directory, in "Administrator Tools", open "Active Directory Users and Computers" window, select User -> New -> User to add new user, for example, add user "lsfsrv", "lsfhost"

    Then open windows cmd, run below command to generate keytab file:

    setspn -A lsf/$cluster-name lsfsrv
    ktpass -princ lsf/$cluster-name@FREE.ZONE -mapuser lsfsrv -pass $pass -out lsfsrv.keytab -ptype KRB5_NT_PRINCIPAL

    Note:

    • "lsfsrv" is an example, you can change this username with your rule.
    • Use the real LSF cluster name to replace the $cluster-name in command.
    • Use the real password of user "lsfsrv" to replace the $pass in command.

    setspn -A lsf/$host-name lsfhost
    ktpass -princ lsf/$host-name@FREE.ZONE -mapuser lsfhost -pass $pass -out lsfhost.keytab -ptype KRB5_NT_PRINCIPAL

    Note:

    • "lsfhost" is an example, you can change the username with your rule.
    • Use the LSF host name to replace the $host-name in command. The value should be the execute output of "hostname -f" command in LSF host.
    • Use the real password of user "lsfhost" to replace the $pass in command.

    5) Add principal for LSF add-on

    As like above step, add user "AC_root", "lsfgui" and run below command to add principal for LSF add-on product

    setspn -A AC_root
    ktpass -princ AC_root -pass $pass -out ac_root.keyta -ptype  KRB5_NT_PRINCIPAL

    Note:

    • "AC_root" is a fixed username, please do not change it.
    • Use the real password of user "AC_root" to replace the $pass in command

    setspn -A HTTP/$host-name lsfgui
    ktpass -princ HTTP/$host-name@FREE.ZONE -mapuser lsfgui -pass $pass -out lsfgui.keytab -ptype KRB5_NT_PRINCIPAL

    Note:

    • "lsfgui" is an example, you can change the username with your rule.
    • Use the LSF add-on host name to replace the $host-name in command. The value should be the execute output of "hostname -f" command in LSF add-on host, the LSF add-on host also should be a host in LSF cluster.
    • Use the real password of user "lsfgui" to replace the $pass in command.

    2. Configure Kerberos on LSF and add-on host
    1) Run command "nmtui" to edit the Linux network setting of LSF and add-on host, use the IP of Windows Active Directory domain controller as the DNS server address, set Active Directory domain name as search domain.
    2) Edit /etc/hosts, configure the mapping of hostname and IP
    # The host address of Windows Active Directory domain controller host
    9.110.251.125  vmwin12  vmwin12.free.zone
    # The host address of LSF or add-on host
    9.110.251.30  vmrhel7x  vmrhel7x.free.zone
    3) Run command "yum install krb5-libs krb5-workstation krb5-devel" to install Kerberos

    4) Copy all the generated keytab files from Active Directory domain controller host, run below command to merge the keytab files and generate krb5.keytab

    ktutil
    rkt lsfsrv.keytab
    rkt lsfhost.keytab
    rkt lsfgui.keytab
    rkt ac_root.keytab
    wkt krb5.keytab
    exit

    5) Copy generated krb5.keytab to /etc and configure /etc/krb5.conf as below:

    For example:

    • The domain name is: "free.zone"
    • The Active Directory domain controller hostname is: "vmwin12.free.zone"
    includedir /etc/krb5.conf.d/
    [logging]
      default = FILE:/var/log/krb5libs.log
      kdc = FILE:/var/log/krb5kdc.log
      admin_server = FILE:/var/log/kadmind.log
    [libdefaults]
      default_realm = FREE.ZONE
      default_keytab_name = FILE:/etc/krb5.keytab
      default_ccache_name = FILE:/tmp/krb5cc_%{uid}
      default_tkt_enctypes = rc4-hmac
      default_tgs_enctypes = rc4-hmac
      forwardable = true
      renewable = true
      noaddresses = true
      clockskew = 300
      udp_preference_limit = 1
    [realms]
      FREE.ZONE = {
    kdc = vmwin12.free.zone
    admin_server = vmwin12.free.zone
      }
    [domain_realm]
      .free.zone = FREE.ZONE
    free.zone = FREE.ZONE
    6) Reboot the host to make the configuration effective
    7) Run "klist -k -t /etc/krb5.keytab" command to verify Kerberos keytab file
    8) Install LSF and configure Kerberos parameter
    • Edit $LSF_ENVDIR/lsf.conf, add below parameter
    LSF_ADDON_HOSTS="vmrhel7x" #vmrhel7x is the host that install LSF add-on, use the real hostname to replace it
    LSB_KRB_LIB_PATH="/usr/lib64/"
    • Backup file "eauth" under $LSF_SERVERDIR and rename "eauth.krb5" in same directory to "eauth" to overwrite the old one
    9) Install AC and configure Kerberos parameter
    • Edit $GUI_CONFDIR/pmc.conf, add below parameter
    ENABLE_KERBEROS=true
    KrbServicePrincipal="HTTP/vmrhel7x@FREE.ZONE" #vmrhel7x is the host that install LSF add-on, use the real hostname to replace it
    KrbKeyTabLocation="/etc/krb5.keytab"
    • Backup file $PMC_TOP/gui/3.0/wlp/usr/servers/platform/apps/ platform.war/ WEB-INF/classes/pring-security.xml and rename spring-security.xml.krb in same directory to spring-security.xml to overwrite the old one
    • Set environment variable: LSF_ADDON_SERVICENAME="AC_root"

    3. Configure Windows client host
    3.1 Add client into Active Directory and as a client
    1) Reset SID, modify the DNS address, point to domain controller machine IP


    2) Click right button on "This PC", select Properties->Change Setting->Change, modify the host into free.zone domain

    3) Edit C:\Windows\System32\drivers\etc\hosts, configure the mapping of hostname and IP
    # The host address of Windows Active Directory domain controller host
    9.110.251.125  vmwin12  vmwin12.free.zone
    # The host address of LSF or add-on host
    9.110.251.30  vmrhel7x  vmrhel7x.free.zone
    3.2 Configure Browsers for Kerberos access on client
    - Firefox

    Complete following steps to ensure that your Firefox browser is enabled to perform Spnego authentication.

    • Open Firefox.
    • At address field, type about:config.
    • In filter/search, type negotiate.
    • Parameter network.negotiate-auth.trusted-uris may be set to LSF add-on server url, for example: the server host is vmrhel7x

    • It is recommended to use https for all communication.
    - Google Chrome

    On Windows machines (clients): Chrome shares the configuration with Internet Explorer so if all changes were applied to IE (as described in below), nothing has to be passed via command-line parameters.

    - Microsoft Edge
    Microsoft Edge shares the configuration with Internet Explorer so if all changes were applied to IE (as described in below), nothing need to do.

    - Internet Explorer
    Complete following steps to ensure that your Internet Explorer browser is enabled to perform Spnego authentication.

    • Open Internet Explorer.
    • Click Tools > Internet Options > Security tab.
    • In Local intranet section make sure your server is trusted by i.e. adding it into a list.

    • Click "custom level", select "automatic logon with current user name and password" under "User Authentication" parameter


    NOTICE:

    • For use the Kerberos authentication, the computer time difference in all the host should be less than 5 minutes
    • When input the URL to access the service, only support use hostname in the URL to logon LSF add-on automatic

    3) Input LSF host information and click "OK"


    ------------------------------
    Edward Deng
    ------------------------------