Kerberos

Atlas 900 Compute Node iBMC (V3.01.00.00 or Later) User Guide 09

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Kerberos

Function Description

On the Kerberos page, you can view and configure Kerberos basic settings and user group information.

The iBMC provides an access interface for Kerberos users. Using a Kerberos user account to log in to the iBMC improves system security. You can log in to the iBMC WebUI as a Kerberos user.

GUI

Choose User and Security > Kerberos.

The page shown in Figure 3-39 is displayed.

Figure 3-39 Kerberos
Click to enlarge

Parameter Description

Table 3-47 Kerberos

Parameter	Description
Kerberos	Setting of the Kerberos login. : enables Kerberos. : disables Kerberos. NOTE: The security policies (password complexity check, password validity period, minimum password age, previous passwords disallowed, and inactive timelimit, and user lockout policy) configured on the authentication server apply to the Kerberos users attempting to log in to the iBMC.
Basic Settings NOTE: Parameters with asterisks (*) are mandatory.
Realm	Kerberos realm. Value: a string of up to 255 characters The value can contain digits, uppercase letter, and special characters (including spaces).
Kerberos Server Address	Address of the Kerberos server. If Kerberos is enabled, enter the FQDN (Host name.Domain name) of the Kerberos server, and configure DNS on the iBMC Settings > Network Settings page. Format: an IPv4 or IPv6 address or a domain name The domain name must meet the following requirements: Contain 0 to 255 characters. Allow digits, letters, hyphens (-), and dots (.) only. Cannot start with a hyphen or dot, or end with a hyphen. Allow a maximum of 63 characters between any two dots.
Kerberos Port	Port number of the Kerberos service. Value range: 1 to 65535 Default value: 88
Key Table	Kerberos key table to be uploaded. The key table must be in the .keytab format. It is left blank by default. NOTE: The key table size cannot be 0 KB or greater than 1 MB. For security purposes, periodically update the key.
Current User Password	Password of the user for logging in to the iBMC.
Kerberos User Group	Displays information about all Kerberos user groups. The iBMC supports a maximum of five Kerberos user groups.
Group Name	Name of the group to which the Kerberos user belongs. Value range: a string of 255 bytes (64 to 255 characters). The specific length varies with the number of bytes of each character.
SID	Security identifier used for Kerberos and user group authorization. For example, S-1-5-21-310440588-250036847-580389505-500. Value range: a string of 255 bytes (64 to 255 characters). The specific length varies with the number of bytes of each character.
Role	Role of the Kerberos user group. Administrator: Users assigned the Administrator role can perform all operations. Operator: Users with the Operator role can perform basic management, remote control, remote media, power control, query information, and configure their own data. Common User: Users assigned with the Common User role can query information and configure their own data. Custom Role: Users assigned Custom Role 1 to Custom Role 4 can perform the specified operations.
Login Interfaces	Interfaces through which the Kerberos group members can log in to the iBMC. Currently, only WebUI login is supported. If Web is selected, users can user a web browser to log in to the iBMC WebUI.
Group Folder	Name of the user folder on the Kerberos server. Format: "CN=xxx" or "OU=xxx" When there are multiple levels of nodes, the upper-level node follows the lower-level node with a comma in between. For example, if the user group grouptest is in \testgroups\part1 on the Kerberos server, enter OU=part1,OU=testgroups. NOTE: For details about the difference between CN and OU, see the description of the Kerberos protocol. In Windows AD, for example, it is: CN if Type is Container. OU if Type is Organizational Unit. Value range: a string of 255 bytes (64 to 255 characters). The specific length varies with the number of bytes of each character.
Login Rules	Login rules that apply to the Kerberos group.

Enabling Kerberos and Configuring the Domain Server

Set Kerberos to .
Set the domain server. For details about the parameters, see Table 3-47.
Click Save.

Importing a Key Table

Click and select the key table to be imported.
Click Open.
After the key table is uploaded, "File uploaded successfully" is displayed.
Enter the password of the current user.

The Kerberos user who logs in using SSO does not need to enter the password.
Click Save.

Adding a Kerberos User Group

A maximum of five Kerberos user groups can be added to the iBMC system.

In the Kerberos User Group area, click Add.

The Add Group page is displayed.

Table 3-48 Adding a Kerberos user group

Parameter	Description
Group Name	Name of the Kerberos user group to be added. Value range: a string of 255 bytes (64 to 255 characters). The specific length varies with the number of bytes of each character.
Group Folder	Name of the user folder on the Kerberos server. Format: "CN=xxx" or "OU=xxx" When there are multiple levels of nodes, the upper-level node follows the lower-level node with a comma in between. For example, if the user group grouptest is in \testgroups\part1 on the Kerberos server, enter OU=part1,OU=testgroups. NOTE: For details about the difference between CN and OU, see the description of the Kerberos protocol. In Windows AD, for example, it is: CN if Type is Container. OU if Type is Organizational Unit. Value range: a string of 255 bytes (64 to 255 characters). The specific length varies with the number of bytes of each character.
SID	Security identifier used for Kerberos and user group authorization. Value range: a string of 255 bytes (64 to 255 characters). The specific length varies with the number of bytes of each character.
Role	Operation permission assigned to an Kerberos group on the iBMC. Value: Administrator, Operator, Common User, and Custom Role 1 to 4
Login Rules	Login rules that apply to the Kerberos group.
Login Interfaces	Interfaces through which the Kerberos group members can log in to the iBMC.
Current User Password	Password of the user for logging in to the iBMC. NOTE: The Kerberos user who logs in using SSO does not need to enter the password.

Set the Kerberos user group parameters. For details, see Table 3-48.
Click Save.
The Kerberos user group is displayed.

Deleting a Kerberos User Group

In the Kerberos User Group area, locate the Kerberos user group to be deleted and click .
A Confirm dialog box is displayed, asking you to enter the current user password.

The Kerberos user who logs in using SSO does not need to enter the password.
Enter the current user password.
Click OK.

Modifying a Kerberos User Group

In the Kerberos User Group area, locate the Kerberos user group to be modified and click .
Modify parameters. For details about the parameters, see Table 3-48.
Click Save.

Function Description
GUI
Parameter Description
Enabling Kerberos and Configuring the Domain Server
Importing a Key Table
Adding a Kerberos User Group
Deleting a Kerberos User Group
Modifying a Kerberos User Group

Translation

简体中文

Download

Updated: 2023-08-04

Document ID: EDOC1100152759

Downloads: 95

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate