This section describes how to modify the information about an existing Kerberos realm.
Procedure
- Choose Resources > Access > Account.
- Click the name of the desired account. On the page that is displayed, select the Domain Configuration tab.
- In the Kerberos area, click More on the right of the desired Kerberos realm and select Modify.
The Modify Kerberos Realm page is displayed on the right.
- Set basic information. Table 1 describes the parameters.
Table 1 Basic information about a Kerberos realm Parameter
Description
Realm Name
Indicates the name of a Kerberos realm.
If the AD domain server is used as the KDC server, the Kerberos realm name is the AD domain name queried on the Active Directory Users and Computers tool.
[Rule]
When entering a domain name, convert it to uppercase letters.
[Example]
TEST.COM
KDC IP Address
Indicates the IP address of the Kerberos KDC.
KDC Port
Indicates the port number of the Kerberos KDC.
[Rule]
The default value is 88. If you set another value for this parameter, the set value prevails.
KDC Vendor
Indicates the vendor of the Kerberos KDC.
- If a Windows AD domain server is used as the KDC server, set the KDC vendor to Windows.
- If a non-Windows AD domain server is used as the KDC server, set the KDC vendor to non-Windows.
Kerberos Realm User Name
Indicates the user name for logging in to a Kerberos realm server.
[How to obtain]
Contact the Kerberos realm administrator to obtain the password.
NOTE:This parameter needs to be set when you add or remove a service IP address.
Password
Indicates the password for logging in to a Kerberos realm server.
[How to obtain]
Contact the Kerberos realm administrator to obtain the password.
NOTE:This parameter needs to be set when you add or remove a service IP address.
- Enable the Kerberos service for a service IP address.
- Click Add.
The Add Service IP Address page is displayed.
- Table 2 describes related parameters.
Table 2 Parameters for enabling the Kerberos service Parameter
Description
Subnet
Indicates a subnet. It is used to configure service planes of the file, object, and HDFS services.
Zone
Indicates a zone. A zone contains a group of nodes that process service access requests from clients and have the same domain name and load balancing policy. A group of service network floating IP addresses are specified for these nodes.
Service IP Address
Indicates a service IP address. It is used for service access of clients.
[Rule]
Before enabling the service, configure the service network and ensure that the selected service IP address is online.
FQDN
[Rule]
An FQDN cannot contain special characters @#*()=+[]|;:",<>\/? or control characters. Due to differences between KDC servers, you are advised to include the lowercase KDC domain name in the FQDN. Example: test.example.com.
Service Principal Name
Identifies a unique identity in a Kerberos realm. That is, name of the service IP address of the storage system in a Kerberos realm. After this function is enabled, clients can use this name to access the storage system.
Overwrite Service Principal Name
Enables or disables Overwrite Service Principal Name.NOTICE:- If the service principal name already exists in the domain controller and this option is enabled, the service IP address of the service principal name in the domain controller will be overwritten. As a result, the authentication of the device, to which the service IP address corresponding to the service principal name belongs, and the domain controller will be affected.
- If the service principal name already exists in the domain controller and this option is not enabled, adding a service IP address will fail.
- Click OK.
- If KDC Vendor is set to Non-Windows, you need to upload the keytab file after enabling the Kerberos service for the service IP address.
Select a port and click Remove or choose More > Remove on the right of the desired port to remove the service IP address and disable the Kerberos service of the service IP address.
- Click Add.
- Click OK.
Confirm your operation as prompted.