Adding a Kerberos Realm

Prerequisites

• A Kerberos realm environment has been set up.
• The time of the Kerberos realm server must be synchronized with that of the storage system, with time difference no larger than 5 minutes. For details about how to configure the system time, see Time Settings.

Precautions

• The client to be authenticated and the storage system must be added to the same Kerberos realm.
• Before adding a storage system to a Kerberos realm, ensure that the primary controller of the storage system is connected to the Kerberos realm server.
• If Overwrite Service Principal Name is enabled and the entered service principal name is the same as an existing name on the domain controller, the logical port information of the current storage system will overwrite the existing service principal information on the domain controller.

Procedure

1. Choose Resources > Access > Account.
2. Click the name of the desired account. On the page that is displayed, select the Domain Configuration tab.
3. In the Kerberos area, click Add.

   The Add Kerberos Realm page is displayed on the right.

4. Set basic information. Table 1 describes the parameters.

   Table 1 Basic information about a Kerberos realm

   Parameter	Description
   Realm Name	Name of a Kerberos realm. If the AD domain server is used as the key distribution center (KDC) server, the Kerberos realm name is the AD domain name queried on the Active Directory Users and Computers tool. [Rule] When entering a domain name, convert it to uppercase letters. [Example] TEST.COM
   KDC IP Address	IP address of the Kerberos KDC.
   KDC Port	Port number of the Kerberos KDC. [Rule] The default value is 88. If you set another value for this parameter, the set value takes effect.
   KDC Vendor	Vendor of the Kerberos KDC. If a Windows AD domain server is used as the KDC server, set the KDC vendor to Windows. If a non-Windows AD domain server is used as the KDC server, set the KDC vendor to non-Windows.
   Kerberos Realm User Name	User name for logging in to a Kerberos realm server. [How to obtain] Contact the Kerberos realm administrator to obtain the password. NOTE: This parameter needs to be set when you add or remove a service IP address.
   Password	Password for logging in to a Kerberos realm server. [How to obtain] Contact the Kerberos realm administrator to obtain the password. NOTE: This parameter needs to be set when you add or remove a service IP address.

5. Enable the Kerberos service for a service IP address.
   1. Click Add.

      The Add Service IP Address page is displayed.

   2. Table 2 describes the related parameters.

      Table 2 Parameters for enabling the Kerberos service

      Parameter	Description
      Subnet	Indicates a subnet. It is used to configure service planes of the file, object, and HDFS services.
      Zone	Indicates a zone. A zone contains a group of nodes that process service access requests from clients and have the same domain name and load balancing policy. A group of service network floating IP addresses are specified for these nodes.
      Service IP Address	Indicates a service IP address. It is used for service access of clients. [Rule] Before enabling the service, configure the service network and ensure that the selected service IP address is online.
      FQDN	[Rule] An FQDN cannot contain special characters @#*()=+[]|;:",<>\/? or control characters. Due to differences between KDC servers, you are advised to include the lowercase KDC domain name in the FQDN. Example: test.example.com.
      Service Principal Name	Identifies a unique identity in a Kerberos realm. That is, name of the service IP address of the storage system in a Kerberos realm. After this function is enabled, clients can use this name to access the storage system.
      Overwrite Service Principal Name	Enables or disables Overwrite Service Principal Name. NOTICE: If the service principal name already exists in the domain controller and this option is enabled, the service IP address of the service principal name in the domain controller will be overwritten. As a result, the authentication of the device, to which the service IP address corresponding to the service principal name belongs, and the domain controller will be affected. If the service principal name already exists in the domain controller and this option is not enabled, adding a service IP address will fail.

   3. Click OK.
   4. If KDC Vendor is set to Non-Windows, you need to upload the keytab file after enabling the Kerberos service for the service IP address.
      

      Select a port and click Remove or choose More > Remove on the right of the desired port to remove the service IP address and disable the Kerberos service of the service IP address.

6. Click OK.

   Confirm your operation as prompted.