Enable Kerberos realm in Elastic docker container for Kibana authentication

Michal_Stefanec · August 21, 2020, 1:16pm

Hello,

we have ELK stack (7.8.0) deployed on our on-premise server. We user docker-compose deployment and currently we are using Trial license. We would like to authenticate domain users when logging in Kibana.

Kerberos is fully deployed on the on-premise server, where docker-compose is running and I copied krb5.conf and krb5.keytab files to the Elasticsearch container, created a role binding and enabled debug (krb.debug: true). Trying to log with the same credentials as to on-premise server.

I can't see any logs in Elastic container and I can't figure it out what's happening and where is the problem.

Can you help me please?

ikakavas · August 22, 2020, 7:50am

Can you share your kerberos realm configuration for kibana and elasticsearch?

Michal_Stefanec · August 24, 2020, 7:54am

[libdefaults]
default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
dns_lookup_kdc = true
pkinit_kdc_hostname = <DNS>
pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
pkinit_eku_checking = kpServerAuth
pkinit_win2k_require_binding = false
pkinit_identities = PKCS11:/opt/pbis/lib/libpkcs11.so
default_keytab_name = /etc/krb5.keytab
default_realm = XXX.LOCAL
[domain_realm]
.xxx.local = XXX.LOCAL
.xxx.com = XXX.COM
[realms]
XXX.LOCAL = {
auth_to_local = RULE:[1:$0\$1](^XXX\.LOCAL\\.*)s/^XXX\.LOCAL\\//
auth_to_local = RULE:[1:$0\$1](^XXX\.COM\\.*)s/^XXX\.COM/XXX/
auth_to_local = DEFAULT
}
[capaths]
[appdefaults]
pam = {
mappings = XXX\\(.*) $1@XXX.LOCAL
forwardable = true
validate = true
}
httpd = {
mappings = XXX\\(.*) $1@XXX.LOCAL
reverse_mappings = (.*)@XXX\.LOCAL XXX\$1
}

Michal_Stefanec · August 24, 2020, 8:08am

xpack.security.authc.realms.kerberos.kerb1:
order: 3
keytab.path: es.keytab
remove_realm_name: false

ikakavas · August 24, 2020, 8:23am

How about your kibana configuration? You need to configure it too , see https://www.elastic.co/guide/en/kibana/7.x/kibana-authentication.html#kerberos

also, how exactly are you trying to authenticate ? You wouldn't need to enter credentials in Kibana, you would have to kinit on the machine where you want to SSO with kerberos from and the authentication should happen automatically if your browser supports it/is configured

You need to check the docs here - bottom of the page on how to enable the troubleshooting. See here for how to set the necessary JVM options in docker so that you can see all debug logs in your docker logs

Michal_Stefanec · August 24, 2020, 8:35am

Thanks for a help, i didn't know i have to configure it also for Kibana. I'll give it a try

ikakavas · August 24, 2020, 8:58am

I'll make sure we update the docs in ES to point to the kibana docs too, it was easy to miss. Thanks for the feedback

ikakavas · August 24, 2020, 2:01pm

@Michal_Stefanec I opened https://github.com/elastic/elasticsearch/pull/61466 to add a hint in our docs. Thanks again

system · September 7, 2020, 2:01pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.