Configuring Command Line Program (saCMD) for Kerberos Authentication

This section explains about how to configure the command line program for kerberos authentication.

Prerequisites

  • Ensure that all the machines configured for Kerberos setup are in the same domain.

    Example: TA KERBEROS.COM

  • Kerberos setup for the client manager requires minimum of four boxes in the same domain with administrator rights:

    • Active Directory Box with Domain Controller.

      Example: Named as TA KDC.

    • Client Manager Box.

      Example: Named as TA APP.

    • Master Box.

      Example: Named as TA MASTER.

    • Client saCMD Box with installation agent.

      Example: Named as TA CLI.

  • Ensure that all the boxes are reachable from each other through the command:

    ping <hostname> or <IP address> nslookup <hostname> or <IP address>

If you are not configuring any key tab for the user used in the script/job, run the agent service as logged in user instead of running it as local account. The username should have realm name.

Example: TA kerberos\cliuser@TA KERBEROS.COM.

Creating Key tab file for client box (saCMD) user

  1. Open a command prompt in AD box.

  2. Create the Key tab file which is the authorization token for client box(saCMD) user (cliuser)

  3. On the command prompt, enter the command:

    ktpass -out <keytab location> -princ <clientbox user>@<realm name> -pass <password> -crypto
    <crypto> -pType KRB5_NT_PRINCIPAL

    Example: ktpass -out c:\temp\cliuser.keytab -princ cliuser@TA KERBEROS.COM -pass control@123-crypto AES256-SHA1 -pType KRB5_NT_PRINCIPAL

  1. Copy the key tab file from the AD box to the client box (saCMD) after the key tab file creation.

  2. Ensure that the following artifact is available in the config folder of command line program, to perform the Kerberos setup

    krb5.ini file

    The content of the file krb5.ini is given below:

    [libdefaults]
    default_realm = TA KERBEROS.COM <domain name> permitted_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tgs_enctypes = aes128-cts aes256-cts arcfour-hmac-md5 default_tkt_enctypes = aes128-cts aes256-cts arcfour-hmac-md5
    [realms]
    TA KERBEROS.COM = {
    kdc = 172.21.243.238 <IP address of the AD box>
    admin_server = 172.21.243.238 default_domain = TA KERBEROS.COM
    }
    [domain_realm]
    TA kerberos.com= TA KERBEROS.COM
    .TA kerberos.com = TA KERBEROS.COM
    [appdefaults] autologin = true forwardable = true

  1. Edit the tescmd.props, and provide these:

    • Set the below property to true. If it is set to false, the command line program works in basic authentication mode through AD/LDAP.

      isKerberos=true

    • Location of the krb5.ini. The customer can provide their own path in which the files are located.

      krb5.conf=C:\\Program Files\\Tidal\\TESCmdLine\\config\\krb5.ini

    • Logging flags.

      krb5.debug=true

    Location of the key tab file for the corresponding user. The customer can provide their own path in which the files are located. This property can be provided only, if the script or job is provided with username and password. During interactive mode, the command line program prompts only for the key tab path and not for the password.

    Example: cliuser = C:\\Program Files\\Tidal\\Client Transporter\\config\\cliuser.keytab testuser= C:\\Program Files\\Tidal\\Client Transporter\\config\\testuser.keytab