Domino supports Kerberos authentication, allowing users to authenticate as themselves when connecting to Kerberos-secured systems.
Users can enable Kerberos authentication at the project-level or user-level by uploading a Kerberos keytab and principal into Domino. After set up, Runs started by Kerberos-enabled users or in Kerberos-enabled projects in Domino will automatically run kinit and retrieve the ticket to be able to authenticate.
There are two ways to add your krb5.conf file to Domino.
-
Add it to your project in a folder named
kerberos
. -
Add it to your environment at
/etc/krb5.conf
:
RUN echo "[libdefaults]" >> /etc/krb5.conf &&
echo " default_realm = [YOUR-DEFAULT-REALM]" >> /etc/krb5.conf &&
echo " default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc" >> /etc/krb5.conf &&
echo " default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc" >> /etc/krb5.conf &&
echo " dns_lookup_kdc = true" >> /etc/krb5.conf &&
echo " dns_lookup_realm = false" >> /etc/krb5.conf &&
echo "" >> /etc/krb5.conf &&
echo "[realms]" >> /etc/krb5.conf &&
echo " EXAMPLE.COM = {" >> /etc/krb5.conf &&
echo " kdc = kerberos.example.com" >> /etc/krb5.conf &&
echo " admin_server = kerberos.example.com" >> /etc/krb5.conf &&
echo " }" >> /etc/krb5.conf
To add a keytab and principal that will be used for Runs started by your user:
-
Go to Account Settings > Kerberos Integration.
-
Select Keytab file based authentication, paste your keytab and principal, then click Save.
To add a keytab and principal that will be used for Runs started by a specific project:
-
Open the project Settings and click to open the Integrations tab.
-
In the Kerberos panel, click Keytab file based authentication, supply your keytab and principal, then click Save.