2

We are using Java Kerberos authentication to connect to our SQL Server DB from Linux. Here we had used the prinicipal name and the password to generate a keytab file on the Linux system. Currently the connectivity works fine.

But there has been an additional requirement to use expiring passwords, which expire every 3 months. In our other applications we use an API called CyberArk which retrieves the password from a vault and Ops team need not bother about changing the password on the application server located on the Linux system.

Does anyone have any experience on using Kerberos in such an enironment? We are basically looking at avoiding to regenerate the keytab file every time the password expires.

nprak
  • 197
  • 4
  • 14
  • You can script an update of the keytab, with `ktutil` on Linux *(on RedHat & friends, part of `krb5_workstation` package, like `kinit`)*, and with `ktab.exe` on Windows *(shipped with Oracle/Sun JRE)*, so that you can change your password in AD *and* update the keytab in one pass. – Samson Scharfrichter May 02 '17 at 13:55
  • The issue that we are facing is that the password update in AD is done every three months by another system. So our Linux environment basically knows nothing about the password update. So, once the AD password for our principal is updated, I assume that the keytab will no longer be valid. We will have to regenerate the ticket manually in this case. – nprak May 03 '17 at 08:55
  • Can you bribe/bully/threaten the admin team for _"the other system"_ so that they **automatically** create a new keytab at the time they run the update? Ideally, the new pwd should be added *in advance* in the keytab with an increment in `kvno` -- quoting https://serverfault.com/questions/699641/how-to-avoid-frequent-kvno-increases-when-using-apache-httpd-with-mod-auth-kerb, _" AD generally doesn't care what your KVNO is ... going to try to decrypt/validate with the most recent key that it has for that principal, and if that doesn't work, it will try with the previous one"_ – Samson Scharfrichter May 03 '17 at 10:35
  • @nprak, sorry to ask this here, but can you provide some tips on how you set up the Kerberos auth? I'm asking because I have exactly the same need (Linux -> Windows Auth -> SQL Server), and I'm having a hard time finding good info on how to set this up. Any help would be greatly appreciated. – splashout Sep 17 '20 at 01:00

1 Answers1

0

I don't think you can avoid to regenerate the keytab file in the event of password change or expiring. What you can do, however, is to make it painless to generate the keytab file on the Linux server. this require the Linux server joining the Active Directory, using RHEL native tool realm or Centrify software.

RHEL tool document is here https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/realmd-domain

For Centrify user, https://community.centrify.com/t5/Centrify-Express/Replace-SSH-Keys-with-Kerberos-Keytabs/td-p/10112

Kexin Z
  • 35
  • 1