Highlighted
pmontoya21
1 Copper

How to Set maximum number of passwords to retain in Kerberos authentication

For any given CIFS Server, the EMC Celerra provides a CLI command that allows one to to "set maximum number of passwords to retain in Kerberos authentication" (page 80).  The default value is 2.  Page 25 explains why this is important.


https://mydocs.emc.com/VNXDocs/CIFS.pdf

How does one do the same thing for a CIFS server on an Isilon system?

2 Replies
8 Krypton

Re: How to Set maximum number of passwords to retain in Kerberos authentication

Firstly, welcome to the forums, and above all, thank you for being an EMC customer.

Please consider moving this question as-is (no need to recreate) to the proper forum for maximum visibility.  Questions written to the users' own "Discussions" space don't get the same amount of attention and can go unanswered for a long time. 

You can do so by selecting "Move" under ACTIONS along the upper-right.  Then search for and select: "Isilon Support Forum".

0 Kudos
emc-garland
1 Nickel

Re: How to Set maximum number of passwords to retain in Kerberos authentication

Per Tim Wright:

************Snip******************

This is the machine account.
No, we don’t have a setting for the number of passwords. We do keep old and new for a set period.

********************************** Snip***************

If you wanted more info how Kerberos settings are configured in OneFS: My research yielded:

In the OneFS Administration Guide, release 7.0.1, page 61, it discusses configuring Kerberos Settings. See below:

Configure Kerberos settings

Kerberos 5 protocol configuration is supported through the command line only.

In addition to the global Kerberos configuration file, OneFS includes a Kerberos configuration file for Active Directory. You can modify either file by following this procedure.

Most settings require modification only if you are using a Kerberos Key Distribution Center (KDC) other than Active Directory—for example, if you are using an MIT KDC for NFS version 3 or version 4 authentication.

1.      Establish an SSH connection to any node in the cluster.

2.      Run the isi auth krb5command with the add, modify, or delete sub-command to specify which entries to modify in the Kerberos configuration file.

For usage information, see the OneFS Command Reference, Managing Active Directory providers 61

******* Kudos to Christopher Imes for the isi auth output below.

ISILON7-1# isi auth krb5 list
krb5cfg.defaults.always_send_preauth=True
krb5cfg.defaults.default_realm=
krb5cfg.defaults.default_tkt_enctypes=RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
krb5cfg.defaults.dns_lookup_realm=True
krb5cfg.defaults.default_keytab_name=
krb5cfg.defaults.permitted_enctypes=RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
krb5cfg.defaults.dns_lookup_kdc=True
krb5cfg.defaults.preferred_enctypes=RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
krb5cfg.defaults.default_tgs_enctypes=RC4-HMAC DES-CBC-MD5 DES-CBC-CRC


Authentication and access control

3. Propagate the changes to the Kerberos configuration file by running theisi auth krb5 writecommand.

By default, changes are written to the global Kerberos configuration file, / etc/krb5.conf. To update the Kerberos configuration file for Active Directory, use the --path option to specify the /etc/likewise-krb5-ad.conf file.

Best regards,

Garland

0 Kudos