MIT Kerberos Support for Tableau Server on Linux

Version 1

    MIT Kerberos Support for Tableau Server on Linux

     

    Tableau Server on Linux supports Kerberos authentication for data sources, which support MIT Kerberos.  MIT KDC with OpenLDAP-backend using a Kerberos schema can be used for Kerberos authentication.  Tableau Server users Kerberos constrained delegation using S4U extensions.  When using Windows AD, it can be configured at the Delegation tab in a user property of a Server RunAs account.  However, MIT KDC does not have any user property to configure service principals for Kerberos constrained delegation.  To do this, MIT KDC needs to be integrated with OpenLDAP using the Kerberos schema.  Then, Kerberos constrained delegation can be configured by setting service principals on OpenLDAP and allowing delegation for the service principals on MIT KDC.

     

    Service principals on OpenLDAP:

     

         krbPrincipalName

         krbAllowedToDelegateTo

     

    Delegation settings on MIT KDC:

     

         ok_as_delegate

         ok_to_auth_as_delegate

     

    Before you begin, we need to:

     

    1.    Configure MIT KDC with OpenLDAP back-end:

         a.    Register user and computer accounts to MIT KDC.

         b.    Create service principals and keytab files.

         c.    Configure Kerberos constrained delegation.

         d.    Configure SASL/GSSAPI integration.

         e.    Configure LDAP Server to work with MIT Kerberos.

         f.    Add the Kerberos schema on OpenLDAP.

         g.    Create LDAP user accounts.

         h.    Configure Service principals for database and Kerberos delegation.

    2.    Configure Tableau Server on Linux with OpenLDAP auth.

    3.    Configure Windows Client on MIT Kerberos realm.

     

    Sample configurations for MIT KDC and OpenLDAP on the same CentOS server using Teradata:

     

    1.    MIT KDC Configuration with OpenLDAP Back-end:

     

         Add Service principals for computer accounts:

     

         a.    sudo kadmin.local -q "ank -pw password host/<openldap_server>.domain.lan"

         b.    sudo kadmin.local -q "ank -pw password host/<database_server>.domain.lan"

         c.    sudo kadmin.local -q "ank -pw password host/<tableau_server>.domain.lan"

         d.    sudo kadmin.local -q "ank -pw password host/<windows_client>.domain.lan"

     

         Add Service principals for user accounts (with root):

     

         a.    sudo kadmin.local

              : addprinc <Kerberos_user>

              : addprinc <Server_RunAs_user>

     

         Add Service principals for Linux hosts, LDAP integration and Kerberos delegation, and create keytab files:

     

         a.    sudo kadmin.local

              : ktadd -k /etc/host.<openldap_server>.keytab host/<openldap_server>@DOMAIN.LAN

              : ktadd -k /etc/host.<tableau_server>.keytab host/<tableau_server>@DOMAIN.LAN

         b.    sudo kadmin.local

              : add_principal -randkey  ldap/<openldap_server>

              : ktadd -k /etc/ldap.<openldap_server>.keytab ldap/<openldap_server>

         c.    sudo kadmin.local

              : addprinc HTTP/<tableau_server>

              : ktadd -k /etc/http.<tableau_server>.keytab HTTP/<tableau_server>@DOMAIN.LAN

         d.    sudo ktutil

              : read_kt host.<openldap_server>.keytab

              : read_kt ldap.<openldap_server>.keytab

              : list

              : write_kt krb5.keytab

              : quit

              sudo chmod 644 /etc/krb5.keytab

              klist -ke /etc/krb5.keytab (Making sure that the keytab file is created porperly)

     

         Configure Kerberos delegation for Service principals:

     

         a.    sudo kadmin.local

              : modprinc +ok_as_delegate HTTP/<tableau_server>@DOMAIN.LAN

              : modprinc +ok_to_auth_as_delegate HTTP/<tableau_server>@DOMAIN.LAN

     

         Configure SASL/GSSAPI integration: /etc/openldap/slapd.d/cn=config.ldif

     

         a.    vi sasl.ldif

              dn: cn=config

              changetype: modify

              replace: olcSaslHost

              olcSaslHost: <openldap_server>

              dn: cn=config

              changetype: modify

              replace: olcSaslRealm

              olcSaslRealm: DOMAIN.LAN

              dn: cn=config

              changetype: modify

              replace: olcSaslSecProps

              olcSaslSecProps: noplain,noactive,noanonymous,minssf=56

              dn: cn=config

              changetype: modify

              replace: olcAuthzRegexp

              olcAuthzRegexp: {0}"uid=([^/]*),cn=DOMAIN.LAN,cn=GSSAPI,cn=auth" "uid=$1,ou=People,dc=domain,dc=lan"

              dn: cn=config

              changetype: modify

              replace: olcAuthzRegexp

              olcAuthzRegexp: {1}"uid=host/([^/]*).domain.lan,cn=domain.lan,cn=gssapi,cn=auth" "cn=$1,ou=hosts,dc=domain,dc=lan

         b.    sudo ldapmodify -Y EXTERNAL  -H ldapi:/// -f sasl.ldif

     

         Configure SSL certs:

     

         a.    vi /etc/openldap/certs/certs.ldif

             dn: cn=config

             changetype: modify

             replace: olcTLSCertificateFile

             olcTLSCertificateFile: /etc/openldap/certs/ldapcert.pem

             dn: cn=config

             changetype: modify

             replace: olcTLSCertificateKeyFile

             olcTLSCertificateKeyFile: /etc/openldap/certs/ldapkey.pem

         b.    sudo ldapmodify -Y EXTERNAL  -H ldapi:/// -f certs.ldif

         c.    sudo slaptest -u (Making sure that SSL certs are configured properly)

     

         Configure LDAP Server to work with MIT Kerberos:

     

         a.    Get krb5.keytab from MIT KDC, then copy it to /etc and /etc/openldap (as ldap.keytab):

              sudo cp ~/krb5.keytab /etc

              sudo chmod 644 /etc/krb5.keytab

              sudo cp ~/krb5.keytab /etc/openldap/ldap.keytab

              sudo chmod 644 /etc/openldap/ldap.keytab

         b.    Configure OpenLDAP client:

              sudo setfacl -m u:ldap:r /etc/krb5.keytab

              sudo setfacl -m u:ldap:r /etc/pki/tls/cert.pem

              sudo vi /etc/sysconfig/ldap

                    SLAPD_LDAPS=YES

              sudo vi /etc/openldap/ldap.conf

              # OpenLDAP client configuration file. Used for host default settings

              BASE    dc=domain, dc=lan

              URI     ldap://<openldap_server>

              TLS_CACERT      /etc/pki/tls/cert.pem

              TLS_REQCERT     demand

         c.    Restart slapd.service:

              sudo systemctl stop slapd.service

              sudo systemctl start slapd.service

              sudo systemctl status slapd.service (Making sure that slapd.service is running properly)

     

         Add the Kerberos schema:

     

         a.    sudo cp /usr/share/doc/krb5-server-ldap-1.15.1/kerberos.schema /etc/openldap/schema

         b.    sudo vi schema_convert.conf

              include /etc/openldap/schema/core.schema

              include /etc/openldap/schema/collective.schema

              include /etc/openldap/schema/corba.schema

              include /etc/openldap/schema/cosine.schema

              include /etc/openldap/schema/duaconf.schema

              include /etc/openldap/schema/dyngroup.schema

              include /etc/openldap/schema/inetorgperson.schema

              include /etc/openldap/schema/java.schema

              include /etc/openldap/schema/misc.schema

              include /etc/openldap/schema/nis.schema

              include /etc/openldap/schema/openldap.schema

              include /etc/openldap/schema/ppolicy.schema

              include /etc/openldap/schema/kerberos.schema

         c.    mkdir /tmp/ldif_output

         d.    slapcat -f schema_convert.conf -F /tmp/ldif_output -n0 -s "cn={12}kerberos,cn=schema,cn=config" > /tmp/cn=kerberos.ldif

         e.    sudo vi /tmp/cn\=kerberos.ldif

              Modify:

                   dn: cn=kerberos,cn=schema,cn=config

                   objectClass: olcSchemaConfig

                   cn: Kerberos

              Comment out:

                   #structuralObjectClass: olcSchemaConfig

                   #entryUUID: 18ccd010-746b-102d-9fbe-3760cca765dc

                   #creatorsName: cn=config

                   #createTimestamp: 20090111203515Z

                   #entryCSN: 20090111203515.326445Z#000000#000#000000

                   #modifiersName: cn=config

                   #modifyTimestamp: 20090111203515

         f.    sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/cn\=kerberos.ldif

         g.    sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///

              dn: olcDatabase={2}hdb,cn=config

              add: olcDbIndex

              olcDbIndex: krbPrincipalName eq,pres,sub

         h.    sudo ldapmodify -Q -Y EXTERNAL -H ldapi:///

              dn: olcDatabase={2}hdb,cn=config

              replace: olcAccess

              olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=ldapadm,dc=domain,dc=lan" write by anonymous auth by self write by * none

              -

              add: olcAccess

              olcAccess: to dn.base="" by * read

              -

              add: olcAccess

              olcAccess: to * by dn="cn=ldapadm,dc=domain,dc=lan" write by * read

     

         Create LDAP user accounts:

     

         a.    sudo ldapadd -x -W -D "cn=ldapadm,dc=domain,dc=lan " -f <Kerberos_user>.ldif

         b.    sudo ldapadd -x -W -D "cn=ldapadm,dc=domain,dc=lan " -f <Server_RunAs_user>.ldif

     

         Configure Service principals for database and Kerberos delegation:

     

         a.    vi <database_server>.ldif

              dn: uid=<database_server>,ou=People,dc=domain,dc=lan

              changetype: modify

              objectClass: krbprincipalaux

              add: krbPrincipalName

              krbPrincipalName: TERADATA/<database_server>.domain.lan@DOMAIN.LAN

         b.    ldapmodify -h <openldap_server> -p 389 -D 'cn=ldapadm,dc=domain,dc=lan' -w password -f <database_server>.ldif

         c.    vi <tableau_server>.ldif

              dn: uid=<tableau_server>,ou=People,dc=domain,dc=lan

              changetype: modify

              add: objectClass

              objectClass: krbPrincipalAux

              -

              add: krbPrincipalName

              krbPrincipalName: HTTP/<tableau_server>.domain.lan@DOMAIN.LAN

              -

              add: krbAllowedToDelegateTo

              krbAllowedToDelegateTo: TERADATA/<database_server>.domain.lan@DOMAIN.LAN

         d.    ldapmodify -h <openldap_server> -p 389 -D 'cn=ldapadm,dc=domain,dc=lan ' -w password -f <tableau_server>.ldif

     

    2.    Tableau Server Configuration on Linux with OpenLDAP auth

     

         Configure Kerberos Client:

     

         a.    Register a Tableau Server machine to a DNS server.

         b.    Edit Kerberos Client configurations:

              Eg. sudo vi /etc/krb5.conf

                   [logging]

                   default = FILE:/var/log/krb5libs.log

                   kdc = FILE:/var/log/krb5kdc.log

                   admin_server = FILE:/var/log/kadmind.log

     

                   [libdefaults]

                   default_realm = DOMAIN.LAN

                   dns_lookup_realm = false

                   dns_lookup_kdc = false

                   ticket_lifetime = 24h

                   renew_lifetime = 7d

                   forwardable = true

     

                   [realms]

                   DOMAIN.LAN = {

                     kdc = <openldap_server>.domain.lan

                     admin_server = <openldap_server>.domain.lan

                   }

     

                   [domain_realm]

                   .domain.lan = DOMAIN.LAN

                   domain.lan = DOMAIN.LAN

         c.    Get krb5.keytab from MIT KDC, then copy it to /etc:

              sudo cp ~/krb5.keytab /etc/krb5.keytab

              sudo chmod 644 /etc/krb5.keytab

     

         Configure OpenLDAP Client:

     

         a.    Configure Network client to use LDAP:

              sudo authconfig --enableforcelegacy --update

              sudo authconfig --enableldap --enableldapauth --ldapserver="<openldap_server>.domain.lan" --ldapbasedn="dc=domain,dc=lan" --enablemkhomedir --update

              sudo authconfig –test

         b.    Edit OpenLDAP Client configurations:

              Eg. sudo vi /etc/openldap/ldap.conf

                   BASE   dc=domain,dc=lan

                   URI    ldap://<openldap_server>.domain.lan

              Eg. sudo vi /etc/nsswitch.conf

                   passwd:     files ldap

                   shadow:     files ldap

                   group:      files ldap

              Eg. sudo vi /etc/nslcd.conf

                   uid nslcd

                   gid ldap

                   

                   uri ldap://<openldap_server>.domain.lan/

                   base dc=domain,dc=lan

     

                   filter passwd (objectClass=inetorgperson)

                   map    passwd uidNumber        uid

                   map    passwd gidNumber        gid

                   filter group  (objectClass=groupOfUniqueNames)

                   map    group  gidNumber        gid

              Eg. sudo vi /etc/pam_ldap.conf

                   uri ldap://<openldap_server>.mitkerb.dev.tsi.lan/

                   base dc=domain,dc=lan

         c.    Make sure that pam_ldap.so is configured properly:

              Eg. sudo vi /etc/pam.d/system-auth

                   auth        sufficient    pam_ldap.so use_first_pass

                   account     [default=bad success=ok user_unknown=ignore] pam_ldap.so

                   password    sufficient    pam_ldap.so use_authtok

                   session     optional      pam_ldap.so

     

         Configure Tableau Server:

     

         a.    TSM configurations for LDAP Auth using Simple bind:

              tsm configuration set -k wgserver.authenticate -v activedirectory

              tsm configuration set -k wgserver.domain.directoryservice.type -v openldap

              tsm configuration set -k wgserver.domain.default -v domain.lan

              tsm configuration set -k wgserver.domain.fqdn -v domain.lan

              tsm configuration set -k wgserver.domain.nickname -v DOMAIN

              tsm configuration set -k wgserver.domain.username -v "cn=ldapadm,dc=domain,dc=lan"

              tsm configuration set -k wgserver.domain.password -v <password>

              tsm configuration set -k wgserver.domain.ldap.hostname -v sol-openldap

              tsm configuration set -k wgserver.domain.port -v 389

              tsm configuration set -k wgserver.domain.ldap.bind -v simple

              tsm configuration set -k wgserver.domain.ldap.group.baseFilter -v '"(&(objectClass=groupOfUniqueNames)(ou=groups))"'

              tsm configuration set -k wgserver.domain.ldap.group.name -v cn

              tsm configuration set -k wgserver.domain.ldap.group.email -v mail

              tsm configuration set -k wgserver.domain.ldap.group.description -v description

              tsm configuration set -k wgserver.domain.ldap.group.member -v member

              tsm configuration set -k wgserver.domain.ldap.user.baseFilter -v '"(objectClass=inetorgperson)"'

              tsm configuration set -k wgserver.domain.ldap.user.username -v uid

              tsm configuration set -k wgserver.domain.ldap.user.displayname -v displayName

              tsm configuration set -k wgserver.domain.ldap.user.email -v mail

              tsm configuration set -k wgserver.domain.ldap.user.usercertificate -v userCertificate

              tsm configuration set -k wgserver.domain.ldap.user.memberof -v memberof

         b.    TSM configurations for Kerberos SSO:

              tsm configuration set -k wgserver.kerberos.enabled -v true

              tsm authentication kerberos enable

              tsm authentication kerberos configure --keytab-file /var/opt/tableau/tableau_server/keytab/kerberos.keytab

         c.    TSM configurations for Kerberos delegation:

              tsm configuration set -k features.LinuxMITKerberos -v true

              tsm configuration set -k native_api.datasource_impersonation_runas_principal -v HTTP/<database_server>.domain.lan@DOMAIN.LAN

              tsm configuration set -k native_api.datasource_impersonation_runas_keytab_path -v /var/opt/tableau/tableau_server/keytab/kerberos.keytab

         d.    TSM configurations for Kerberos RunAs connection:

              tsm configuration set -k features.RunAsAuthLinux -v true

              tsm configuration set -k native_api.datasource_runas_principal -v <Server_RunAs_user>@DOMAIN.LAN

              tsm configuration set -k native_api.datasource_runas_keytab_path -v /var/opt/tableau/tableau_server/keytab/<Server_RunAs_user>-runas.keytab

         e.    Kerberos keytab files:

              For Kerberos SSO and Kerberos delegation:

                   Create a keytab file (on MIT KDC):

                        sudo kadmin.local

                        : ktadd -k /etc/host.<tableau_server>.keytab host/<tableau_server>.domain.lan@DOMAIN.LAN

                        : addprinc HTTP/<tableau_server>.domain.lan

                        Principal: HTTP/<tableau_server>.domain.lan@DOMAIN.LAN

                        Password: password

                        : ktadd -k /etc/mitkerb.<tableau_server>.keytab HTTP/<tableau_server>.domain.lan@DOMAIN.LAN

                   Rename and copy the keytab file to /var/opt/tableau/tableau_server/keytab (on Tableau Server):

                        sudo mkdir /var/opt/tableau/tableau_server/keytab

                        sudo cp ./mitkerb.<tableau_server>.keytab /var/opt/tableau/tableau_server/keytab/kerberos.keytab

                        sudo chmod 644 /var/opt/tableau/tableau_server/keytab/kerberos.keytab

              For Kerberos RunAs connection:

                   Create a keytab file (on Tableau Server):

                        sudo ktutil

                        ktutil:  addent -password -p <Server_RunAs_user>@DOMAIN.LAN -k 2 -e RC4-HMAC

                        ktutil:  wkt <Server_RunAs_user>-runas.keytab

                        ktutil:  quit

                   Copy the keytab file to /var/opt/tableau/tableau_server/keytab (on Tableau Server):

                        sudo cp ./<Server_RunAs_user>-runas.keytab /var/opt/tableau/tableau_server/keytab/

                        sudo chmod 644 /var/opt/tableau/tableau_server/keytab/<Server_RunAs_user>-runas.keytab

     

    3.    Windows Client Configuration on MIT Kerberos realm

     

         Register a Windows client to MIT KDC:

     

         a.    Add the Windows client to MIT Kerberos database.

              Eg. sudo kadmin.local -q "ank -pw password host/<windows_client>.domain.lan"

         b.    Register the Windows client to the DNS server.

         c.    Join the Windows client to MIT Kerberos domain realm:

              Create a local Windows account: <Kerberos_user>

              Sign-in to the Windows client as the local Windows account.

              Configure MIT Kerberos domain (realm) and DNS server using ksetup:

                   ksetup /setdomain DOMAIN.LAN

                   ksetup /addkdc DOMAIN.LAN xxx.xxx.xxx.xxx

              Restart the Windows client, then sign-in locally as <Kerberos_user>.

                   shutdown /r /t 0 (from a command prompt)

              Set a computer password and map a Kerberos principal:

                   ksetup /setmachpassword password

                   ksetup /mapuser * *

         d.    Create krb5.ini in:

              C:\Windows (Or C:\ProgramData\MIT\Kerberos5 with MIT Kerberos Client installed)

                   [libdefaults]

                   forwardable = true

                   ticket_lifetime = 6000

                   default_realm = DOMAIN.LAN

                   clockskew = 13000

                   default_tkt_enctypes = rc4-hmac

                   default_tgs_enctypes = rc4-hmac

     

                   [realms]

                   DOMAIN.LAN = {

                     kdc = <openldap_server>.domain.lan

                     admin_server = <openldap_server>.domain.lan

                   }

     

                   [domain_realm]

                   DOMAIN = {

                     .domain.lan = DOMAIN.LAN

                     domain.lan = DOMAIN.LAN

                   }

         e.    Configure a Kerberos cache location in environment variables:

              Create a folder: C:\krbtemp

              Set an environment variable:

                   Name: KRB5CCNAME

                   Value: FILE:C:\krbtemp\krb5cache

     

    Test steps for GSSAPI and Kerberos connections from a command line:

     

    1.    LDAPSearch via GSSAPI:

         a.    kinit <Kerberos_user>

         b.    ldapsearch -Y GSSAPI '(<Kerberos_user>)' -b

              "dc=domain,dc=lan"

              SASL/GSSAPI authentication started

              SASL username: <Kerberos_user>@DOMAIN.LAN

              SASL SSF: 56

              SASL data security layer installed.

              ...

     

    2.    Kerberos connection:

         a.    sudo vi /etc/odbcinst.ini

              [ODBC Drivers]

              Teradata=Installed

     

              [Teradata]

              Description=Teradata Database ODBC Driver 16.10

              Driver=/opt/teradata/client/ODBC_64/lib/tdataodbc_sb64.so

              UsageCount=1

         b.    sudo vi /etc/odbc.ini

              [ODBC Data Sources]

              TeradataKerb=Teradata

     

              [TeradataKerb]

              Driver=/opt/teradata/client/ODBC_64/lib/tdataodbc_sb64.so

              DBCName=<database_server>.domain.lan

              LastUser=

              Username=

              Password=

              Database=Test

              MechanismName=KRB5

              DATETIMEFORMAT=AAA

              MaxRespSize=1048576

         c.    kinit <Kerberos_user>

         d.    isql -v TeradataKerb

              +---------------------------------------+

              | Connected!                            |

              ...

              +---------------------------------------+

              …

              SQL> SELECT HostId ,SessionNo ,LogonTime ,LogonSource ,UserName ,UserAccount ,UserId FROM TABLE(MonitorSession(-1, '*', 0)) AS T2;

              ….

              <Kerberos_user>

              ….

              SQLRowCount returns 2

              2 rows fetched

              SQL> quit

     

    3.    Kerberos schema in a user property on OpenLDAP:

         a.    ldapsearch -x -W -h <openldap_server>.domain.lan -p 389 -D 'cn=ldapadm,dc=domain,dc=lan' '(uid=<Server_RunAs_user>)' -b "dc= domain,dc=lan"

              # extended LDIF

              #

              # LDAPv3

              # base <dc=domain,dc=lan> with scope subtree

              # filter: (uid=<Server_RunAs_user>)

              # requesting: ALL

              #

              # <Server_RunAs_user>, People, domain.lan

              dn: uid=<Server_RunAs_user>,ou=People,dc=domain,dc=lan

              ...

              uid: <Server_RunAs_user>

              krbPrincipalName: HTTP/<Server_RunAs_user>.domain.lan@DOMAIN.LAN

              krbAllowedToDelegateTo: TERADATA/<database_server>.domain.lan@DOMAIN.LAN

              krbTicketFlags: 3145728

              krbLoginFailedCount: 0

              krbPrincipalKey::

              ...

              # search result

              search: 2

              result: 0 Success

              # numResponses: 2

              # numEntries: 1