Kerberos
Kerberos is a network authentication protocol that uses secret-key cryptography to provide a secure authentication between server and client. Atlas system uses Kerberos protocol to authenticate users on domain servers such as Active Directory and LDAP.
Ticket Operations
Kerberos tickets allow users to authenticate to the kerberized services(applications) without entering another username and password after the initial authentication. In order to have kerberos tickets, one must get a Ticket Granting Ticket (TGT). The ticket operations include: obtaining a TGT and listing/destroying all tickets.
Obtain TGT
You can use this route to obtain a Ticket Granting Ticket from your Key Distribution Center (KDC). A TGT is required to join a domain as well as to get service tickets which you will need for the Samba service. Please pass the Kerberos server’s realm
, admin username
, and admin password
in order to obtain a TGT.
Request Object
+ URL /api/v2/kerberos/ticket/obtain + Method POST + Parameters realm (string, optional, Body) - Should be same as domain. It's usually all caps (e.g. EXAMPLE.COM). username (string, optional, Body) - Domain admin username e.g. administrator password (string, optional, Body) - Domain admin password path (string, optional, Body) - Path to your keytab file. Default is /etc/krb5.keytab. principal (string, optional, Body) - A unique identity to which Kerberos can assign tickets. eg., HOSTNAME$@EXAMPLE.COM + Headers Content-Type: application/json token: ThisIsNotARealTokenGenerateYourOwnToken + Body { "realm": "EXAMPLE.COM" , "username": "administrator", "password": "megamadmin" }
Response Object
Returns a success message in the response body. To check your TGT, please use List Tickets
route.
+ Headers X-Powered-By: OpenDrives Access-Control-Allow-Origin: * Content-Type: application/json; charset=utf-8 + Body { "message": "Successfully obtained a ticket-granting ticket from the realm, EXAMPLE.COM" }
List Tickets
Using this route, you can list all Kerberos tickets including your TGT.
Request Object
+ URL /api/v2/kerberos/ticket/list + Method GET + Headers Content-Type: application/json token: ThisIsNotARealTokenGenerateYourOwnToken + Body {}
Response Object
Returns the location of Kerberos ticket cache, default principal, service principals, the ticket’s starting/expiring dates, and renew date.
+ Headers X-Powered-By: OpenDrives Access-Control-Allow-Origin: * Content-Type: application/json; charset=utf-8 + Body { "raw": "Ticket cache: FILE:/tmp/krb5cc_0\nDefault principal: administrator@EXAMPLE.COM\n\nValid starting Expires Service principal\n12/08/2020 17:47:08 12/09/2020 03:47:08 krbtgt/EXAMPLE.COM@EXAMPLE.COM\n\trenew until 12/09/2020 17:47:08\n" }
Kerberos Keys
List All Keys
Send this request to list all keys in the keytab file. If path
is not given, the default (/etc/krb5.keytab) path will be used.
Request Object
+ URL /api/v2/kerberos/key/list + Method POST + Parameters path (string, optional, Body) - The path of the kerberos keytab file. + Headers Content-Type: application/json token: ThisIsNotARealTokenGenerateYourOwnToken + Body {}
Response Object
Returns a raw string of all the keys included in the keytab file.
+ Headers X-Powered-By: OpenDrives Access-Control-Allow-Origin: * Content-Type: application/json; charset=utf-8 + Body { "raw": "Keytab name: FILE:/etc/krb5.keytab\nKVNO Timestamp Principal\n---- ------------------- ------------------------------------------------------\n 2 04/29/2021 09:47:12 YOUR_HOSTNAME$@EXAMPLE.COM\n 2 04/29/2021 09:47:12 YOUR_HOSTNAME$@EXAMPLE.COM\n 2 04/29/2021 09:47:12 YOUR_HOSTNAME$@EXAMPLE.COM\n 2 04/29/2021 09:47:12 YOUR_HOSTNAME$@EXAMPLE.COM\n 2 04/29/2021 09:47:12 YOUR_HOSTNAME$@EXAMPLE.COM\n 2 04/29/2021 09:47:12 YOUR_HOSTNAME$@EXAMPLE.COM\n 2 04/29/2021 09:47:12 host/YOUR_HOSTNAME@EXAMPLE.COM\n 2 04/29/2021 09:47:12 host/YOUR_HOSTNAME@EXAMPLE.COM\n 2 04/29/2021 09:47:12 host/YOUR_HOSTNAME@EXAMPLE.COM\n 2 04/29/2021 09:47:12 host/YOUR_HOSTNAME@EXAMPLE.COM\n 2 04/29/2021 09:47:12 host/YOUR_HOSTNAME@EXAMPLE.COM\n 2 04/29/2021 09:47:12 host/YOUR_HOSTNAME@EXAMPLE.COM\n 2 04/29/2021 09:47:12 host/your_hostname.openlab.com@EXAMPLE.COM\n 2 04/29/2021 09:47:12 host/your_hostname.openlab.com@EXAMPLE.COM\n 2 04/29/2021 09:47:12 host/your_hostname.openlab.com@EXAMPLE.COM\n 2 04/29/2021 09:47:12 host/your_hostname.openlab.com@EXAMPLE.COM\n 2 04/29/2021 09:47:12 host/your_hostname.openlab.com@EXAMPLE.COM\n 2 04/29/2021 09:47:12 host/your_hostname.openlab.com@EXAMPLE.COM\n 2 04/29/2021 09:47:12 RestrictedKrbHost/YOUR_HOSTNAME@EXAMPLE.COM\n 2 04/29/2021 09:47:12 RestrictedKrbHost/YOUR_HOSTNAME@EXAMPLE.COM\n 2 04/29/2021 09:47:12 RestrictedKrbHost/YOUR_HOSTNAME@EXAMPLE.COM\n 2 04/29/2021 09:47:12 RestrictedKrbHost/YOUR_HOSTNAME@EXAMPLE.COM\n 2 04/29/2021 09:47:12 RestrictedKrbHost/YOUR_HOSTNAME@EXAMPLE.COM\n 2 04/29/2021 09:47:12 RestrictedKrbHost/YOUR_HOSTNAME@EXAMPLE.COM\n 2 04/29/2021 09:47:12 RestrictedKrbHost/your_hostname.openlab.com@EXAMPLE.COM\n 2 04/29/2021 09:47:12 RestrictedKrbHost/your_hostname.openlab.com@EXAMPLE.COM\n 2 04/29/2021 09:47:12 RestrictedKrbHost/your_hostname.openlab.com@EXAMPLE.COM\n 2 04/29/2021 09:47:12 RestrictedKrbHost/your_hostname.openlab.com@EXAMPLE.COM\n 2 04/29/2021 09:47:12 RestrictedKrbHost/your_hostname.openlab.com@EXAMPLE.COM\n 2 04/29/2021 09:47:12 RestrictedKrbHost/your_hostname.openlab.com@EXAMPLE.COM\n" }
Global Configuration Operations
Get/Update the global Kerberos configurations. If you update the global configuration file, the parameters you add/remove will affect every domain in your individual configuration files. Please do not remove includedir /etc/krb5.conf.d
on the top of the global configuration file; this line includes all individual configuration files in other directory to the global configuration file.
Get Global Kerberos Configuration File
You can use this route to get the global Kerberos configuration file: krb5.conf.
Request Object
+ URL /api/v2/kerberos/conf + Method GET + Headers Content-Type: application/json token: ThisIsNotARealTokenGenerateYourOwnToken + Body {}
Response Object
You will get a raw and JSON parsed output of the global Kerberos configuration file.
+ Headers X-Powered-By: OpenDrives Access-Control-Allow-Origin: * Content-Type: application/json; charset=utf-8 + Body { "raw": "includedir /etc/krb5.conf.d/\n\n[logging]\n\tdefault = FILE:/var/log/krb5libs.log\n\tkdc = FILE:/var/log/krb5kdc.log\n\tadmin_server = FILE:/var/log/kadmind.log\n\n[libdefaults]\n\tdns_lookup_realm = false\n\tkdc_timesynce = 1\n\tccache_type = 4\n\tforwardable = true\n\tdefault_keytab_name = FILE:/etc/krb5.keytab\n\tdns_lookup_kdc = true\n", "json": { "logging": { "default": "FILE:/var/log/krb5libs.log", "kdc": "FILE:/var/log/krb5kdc.log", "admin_server": "FILE:/var/log/kadmind.log" }, "libdefaults": { "dns_lookup_realm": "false", "kdc_timesynce": "1", "ccache_type": "4", "forwardable": "true", "default_keytab_name": "FILE:/etc/krb5.keytab", "dns_lookup_kdc": "true" } } }
Update Global Kerberos Configuration File
Update the global Kerberos configuration file using this route. Configurations that you update will be applied to all individual domains. Please pass the contents of configurations file in raw string.
Request Object
+ URL /api/v2/kerberos/conf/update + Method POST + Parameters conf (string, required, Body) - The raw configuration file text you would like to set as the global kerberos config. + Headers Content-Type: application/json token: ThisIsNotARealTokenGenerateYourOwnToken + Body { "conf": "includedir /etc/krb5.conf.d/\n\n[logging]\n\tdefault = FILE:/var/log/krb5libs.log\n\tkdc = FILE:/var/log/krb5kdc.log\n\tadmin_server = FILE:/var/log/kadmind.log\n\n[libdefaults]\n\tdns_lookup_realm = false\n\tkdc_timesynce = 1\n\tccache_type = 4\n\tforwardable = true\n\tdefault_keytab_name = FILE:/etc/krb5.keytab\n\tdns_lookup_kdc = true\n" }
Individual Realm Configuration Operations
List Individual Realm Configuration Files
List, create, get, update, and delete an individual Kerberos realm configuration file. All individual files will be automatically included into the global configuration file by includedir
parameter in krb5.conf.
Request Object
+ URL /api/v2/kerberos/realm + Method GET + Headers Content-Type: application/json token: ThisIsNotARealTokenGenerateYourOwnToken + Body {}
Response Object
Returns an object where the keys are the individual file names. Each key’s value is an object that has two properties: raw and json.
+ Headers X-Powered-By: OpenDrives Access-Control-Allow-Origin: * Content-Type: application/json; charset=utf-8 + Body { "applefarmlocal": { "raw": "[realms]\n\tEXAMPLE.COM = {\n\t\tkdc = ldap01.example.com\n\t\tadmin_server = ldap01.example.com\n\t}\n\n[domain_realm]\n\t.example.com = EXAMPLE.COM\n\texample.com = EXAMPLE.COM\n", "json": { "realms": { "EXAMPLE.COM": { "kdc": [ "ldap01.example.com" ], "admin_server": "ldap01.example.com" } }, "domain_realm": { ".example.com": "EXAMPLE.COM", "example.com": "EXAMPLE.COM" } } } }
Create Individual Realm Configuration File
Create a new individual realm configuration file.
Request Object
+ URL /api/v2/kerberos/realm/create + Method POST + Parameters name (string, required, Body) - name of the kerberos realm you would like to create. conf ([object,string], required, Body) - Either an object or raw configuration file string used to set the individual kerberos realm config. + Headers Content-Type: application/json token: ThisIsNotARealTokenGenerateYourOwnToken + Body { "name": "ldap02.example.com", "conf": { realms: { "EXAMPLE.COM": { kdc: ["ldap02.example.com", "ldap03.example.com"], admin_server: "ldap01.example.com" }, }, domain_realm: { ".example.com": "EXAMPLE.COM", "example.com": "EXAMPLE.COM", } } }
Get Individual Realm Configuration File
Read an existing individual realm configuration file by passing the file name
as a parameter in the URL.
Request Object
+ URL /api/v2/kerberos/realm/$NAME/details + Method GET + Parameters name (string, required, URL param) - The name of the individual realm configuration file you want to read; you don't need to include the file extension. (e.g. /api/v2/kerberos/realm/examplecom/details) + Headers Content-Type: application/json token: ThisIsNotARealTokenGenerateYourOwnToken + Body {}
Response Object
The response body will have raw and JSON parsed output of the individual realm configuration file you’ve requested.
+ Headers X-Powered-By: OpenDrives Access-Control-Allow-Origin: * Content-Type: application/json; charset=utf-8 + Body { "raw": "[realms]\n\tEXAMPLE.COM = {\n\t\tkdc = ldap01.example.com\n\t\tadmin_server = ldap01.example.com\n\t}\n\n[domain_realm]\n\t.example.com = EXAMPLE.COM\n\texample.com = EXAMPLE.COM\n", "json": { "realms": { "EXAMPLE.COM": { "kdc": ["ldap01.example.com"], "admin_server": "ldap01.example.com" } }, "domain_realm": { ".example.com": "EXAMPLE.COM", "example.com": "EXAMPLE.COM" } } }
Update Individual Realm Configuration File
Update an existing individual realm configuration file. Please pass the name of the file you want to update in the URL as a parameter and pass the configurations in request body as conf
.
Request Object
+ URL /api/v2/kerberos/realm/$NAME/update + Method POST + Parameters name (string, required, URL param) - The name of the individual realm configuration file you want to update; you don't need to include the file extension. (e.g. /api/v2/kerberos/realm/examplecom/update) + Headers Content-Type: application/json token: ThisIsNotARealTokenGenerateYourOwnToken + Body { "conf": { realms: { "EXAMPLE.COM": { kdc: ["ldap02.example.com", "ldap03.example.com"], admin_server: "ldap01.example.com" }, }, domain_realm: { ".example.com": "EXAMPLE.COM", "example.com": "EXAMPLE.COM", } } }
Delete Individual Realm Configuration File
Delete an existing individual realm configuration file. Please pass the name of the file you want to delete in the URL as a parameter.
Request Object
+ URL /api/v2/kerberos/realm/$NAME/delete + Method POST + Parameters name (string, required, URL param) - The name of the individual realm configuration file you want to delete; you don't need to include the file extension. (e.g. /api/v2/kerberos/realm/examplecom/delete) + Headers Content-Type: application/json token: ThisIsNotARealTokenGenerateYourOwnToken + Body {}