Enable Kerberos realm in Elastic docker container for Kibana authentication


we have ELK stack (7.8.0) deployed on our on-premise server. We user docker-compose deployment and currently we are using Trial license. We would like to authenticate domain users when logging in Kibana.

Kerberos is fully deployed on the on-premise server, where docker-compose is running and I copied krb5.conf and krb5.keytab files to the Elasticsearch container, created a role binding and enabled debug (krb.debug: true). Trying to log with the same credentials as to on-premise server.

I can't see any logs in Elastic container and I can't figure it out what's happening and where is the problem.

Can you help me please?

Can you share your kerberos realm configuration for kibana and elasticsearch?

default_tgs_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tkt_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
preferred_enctypes = AES256-CTS AES128-CTS RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
dns_lookup_kdc = true
pkinit_kdc_hostname = <DNS>
pkinit_anchors = DIR:/var/lib/pbis/trusted_certs
pkinit_cert_match = &&<EKU>msScLogin<PRINCIPAL>
pkinit_eku_checking = kpServerAuth
pkinit_win2k_require_binding = false
pkinit_identities = PKCS11:/opt/pbis/lib/libpkcs11.so
default_keytab_name = /etc/krb5.keytab
default_realm = XXX.LOCAL
.xxx.local = XXX.LOCAL
.xxx.com = XXX.COM
auth_to_local = RULE:[1:$0\$1](^XXX\.LOCAL\\.*)s/^XXX\.LOCAL\\//
auth_to_local = RULE:[1:$0\$1](^XXX\.COM\\.*)s/^XXX\.COM/XXX/
auth_to_local = DEFAULT
pam = {
mappings = XXX\\(.*) $1@XXX.LOCAL
forwardable = true
validate = true
httpd = {
mappings = XXX\\(.*) $1@XXX.LOCAL
reverse_mappings = (.*)@XXX\.LOCAL XXX\$1
order: 3
keytab.path: es.keytab
remove_realm_name: false

How about your kibana configuration? You need to configure it too , see https://www.elastic.co/guide/en/kibana/7.x/kibana-authentication.html#kerberos

also, how exactly are you trying to authenticate ? You wouldn't need to enter credentials in Kibana, you would have to kinit on the machine where you want to SSO with kerberos from and the authentication should happen automatically if your browser supports it/is configured

You need to check the docs here - bottom of the page on how to enable the troubleshooting. See here for how to set the necessary JVM options in docker so that you can see all debug logs in your docker logs

1 Like

Thanks for a help, i didn't know i have to configure it also for Kibana. I'll give it a try

I'll make sure we update the docs in ES to point to the kibana docs too, it was easy to miss. Thanks for the feedback

@Michal_Stefanec I opened https://github.com/elastic/elasticsearch/pull/61466 to add a hint in our docs. Thanks again

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.