Kerberos

Configuring Kerberos, Kerberos Realms, and Kerberos Keytabs.

  3 minute read

Kerberos is a web authentication protocol that uses strong cryptography to prove the identity of both client and server over an insecure network connection. Kerberos uses “realms” and “keytabs” to authenticate clients and servers. A Kerberos realm is an authorized domain that a Kerberos server can use to authenticate a client. By default, TrueNAS creates a Kerberos realm for the local system. A keytab (“key table”) is a file that stores encryption keys and is used for various authentication scenarios.

TrueNAS allows configuring both Kerberos realms and keytabs.

Kerberos Realms

Directory Services > Kerberos Realms can be used to view and add Kerberos realms. If the network contains a Key Distribution Center (KDC), click ADD to add the realm.



Kerberos Realm Options

Some settings are only available in Advanced Mode. To see these settings, either click ADVANCED MODE or configure the system to always display these settings by setting Show advanced fields by default in System > Advanced.

SettingValueAdvanced ModeDescription
RealmstringName of the realm.
KDCstringName of the Key Distribution Center.
Admin ServerstringServer where all changes to the database are performed.
Password ServerstringServer where all password changes are performed.

Kerberos Keytabs

Kerberos keytabs are used to do Active Directory or LDAP joins without a password. This means the password for the Active Directory or LDAP administrator account does not need to be saved into the TrueNAS configuration database, which is a security risk in some environments.

When using a keytab, it is recommended to create and use a less privileged account for performing the required queries as the password for that account will be stored in the TrueNAS configuration database. To create the keytab on a Windows system, use the ktpass command:

ktpass.exe /out freenas.keytab /princ http/useraccount@EXAMPLE.COM /mapuser useraccount /ptype KRB5_NT_PRINCIPAL /crypto ALL /pass userpass

where:

Setting /crypto to ALL allows using all supported cryptographic types. These keys can be specified instead of ALL:

  • DES-CBC-CRC is used for compatibility.
  • DES-CBC-MD5 adheres more closely to the MIT implementation and is used for compatibility.
  • RC4-HMAC-NT uses 128-bit encryption.
  • AES256-SHA1 uses AES256-CTS-HMAC-SHA1-96 encryption.
  • AES128-SHA1 uses AES128-CTS-HMAC-SHA1-96 encryption.

This will create a keytab with sufficient privileges to grant tickets.

After the keytab is generated, add it to the TrueNAS system using Directory Services > Kerberos Keytabs > Add Kerberos Keytab.

To instruct the Active Directory service to use the keytab, select the installed keytab using the drop-down Kerberos Principal menu in Directory Services > Active Directory Advanced Mode. When using a keytab with Active Directory, make sure that username and userpass in the keytab matches the Domain Account Name and Domain Account Password fields in Directory Services > Active Directory.

To instruct LDAP to use a principal from the keytab, select the principal from the drop-down Kerberos Principal menu in Directory Services ➞ LDAP Advanced Mode.

Kerberos Settings

Configure additional Kerberos parameters in the Directory Services > Kerberos Settings section.



Notes:

  • Appdefaults Auxiliary Parameters: Define any additional settings for use by some Kerberos applications. The available settings and syntax is listed in the [appdefaults] section of krb.conf(5).

  • Libdefaults Auxiliary Parameters: Define any settings used by the Kerberos library. The available settings and their syntax are listed in the [libdefaults] section of krb.conf(5).