Unable to negotiate with kerberos keytab file

Elastic Stack Elasticsearch
1

I'm unable to negotiate a user with kerberos keytab to URL i'm testing is
curl --negotiate -u : https://localhost:9200/_security/_authenticate --verbose
Although keytab user has superuser access it still shows Unauthorized. all other api calls are going though.
Does this need any other additional privilege to call this API..?

2

Hi

  • Please share the exact error messages you get and not your interpretation of them.
  • share your elasticsearch.yml configuration
  • share the exact output of that curl command
  • share the exact output of a curl calling an API that "is going through"
  • what do you mean that the user in keytab is a superuser ? Can you share the role mapping that you have in place that makes that happen ?
  • have you kinit your user before executing the curl command ?
3

curl --negotiate -u : https://localhost:9200/_security/_authenticate --verbose

  • About to connect () to sdev.fre.com port 9200 (#0)
  •  Trying 10.200.60.3
  • Connected to sdev.fre.com (10.200.60.3) port 9200 (#0)
    *Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/elasticsearch/certs.ca.crt
    CApath: none
  • SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA 384
  • Server certificate:
  •         subject: CN=sdev.fre.com,OU=Software,O=fre,L=Farmington,ST=Michigan,C=US

  •         start date: May 20 15:57:37 2020 EDT

  •         expire date: May 20 15:58:03 2021 EDT

  •         common name: sdev.fre.com

  •         issuer: CN=vault.fre.com,O=fre,L=Farmington,ST=Michigan,C=US

GET /_security/_authenticate HTTP/1.1
User-Agent: curl/7.29.0
Host: sdev.fre.com:9200
Accept: /

< HTTP/1.1 401 Unauthorized
< WWW-Authenticate: Negotiate
< WWW-Authenticate: Bearer realm="security"
< WWW-Authenticate: Apikey
< WWW-Authenticate: Basic realm="security" charset="UTF-8"
< content-type: application/json; charset=UTF-8
< content-length: 529
<

GET /_security/_authenticate HTTP/1.1
Authorization: Negotiate YiBDQTEjMCEGCSqGSIb3DQEJARYUc3VwcG9ydEBmcmFuazRkZC5jb20wHhcNMTIwODIyMDUyNj0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs=
User-Agent: curl/7.29.0
Host: sdev.fre.com:9200
Accept: /

< HTTP/1.1 200 OK
< WWW-Authenticate: Negotiate YDIyMDUyNjU0WhcNMTcwODIxMDUyNjU0WjBKMQswCQYDVQQGEwJKUDEOMAwGA1UECAwFG9reW8xETAPBgNVBAoMCEZyYW5rNEREMRgwFgYDVQQDDA93d3cuZXhhbXBs
< content-type: application/json; charset=UTF-8
< content-length: 316
<

  • Closing connection 0
    {"username": "HTTP/sdev.fre.com","roles": ["superuser"], "full_name":null,"email":null,"metadata":{"kerberos_user_principal_name":"HTTP/sdev.fre.com@FRE.COM ","kerberos_realm":"FRE.COM"},"enabled":true,"authentication_realm":{"name":"kerb1","type":"kerberos"},"lookup_relam":{"name":"kerb1","type":"kerberos"}

Elasticsearch.yml
xpack.security.authc.realms.kerberos.kerb1.order: "3"
xpack.security.authc.realms.kerberos.kerb1.keytab.path: /etc/elasticsearch/elastic.keytab
xpack.security.authc.realms.kerberos.kerb1.remove_realm_name: true

Role_mapping:
curl --cacert /etc/elasticsearch/certs/sdev.fre.com.ca.crt -u elastic -H "content-Type: appplication/json" -X POST "https://sdev.fre.com:9200/_security/role_mapping/adm: --data "@data.json"

data.json:
{
"roles": [ "superuser" ],
"rules": {
"field": { "username" : "HTTP/sdev.fre.com@FRE.COM" }
},
"enabled": true
}

4

Yes, user is able to kinit and klist the ticket.

5

Please use ``` blocks to format your output, it's really hard to go through this as is. Use the preview panel on the right as you edit to see if the formatting is ok. Thanks

Also, this looks like a successful response where your user is authenticated and has the superuser role, so I don't see what the problem is.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.