Configuring the KDC

To authenticate users with the Kerberos tickets, SingleStore must be provided with a service principal name (SPN) stored in a keytab file. The SPN is a unique identifier for SingleStore, and the keytab file contains the encrypted keys for the SingleStore SPN. Together, the SPN and keytab file serve as a credential for SingleStore that allows your cluster to automatically authenticate Kerberos users.

Your SingleStore deployment environment may affect the way your SPNs and keytab files are generated. For example, if you are using a load balancer in front of your SingleStore cluster, its SPN may need to be added to the keytab file that will be copied to each aggregator node in the cluster.

The following sections describe how to create an SPN and keytab file for KDC servers running on Linux/Unix and Windows.

Creating a Service Principal Name and Keytab File

To create an SPN for SingleStore, you must have sufficient permissions to access the KDC server’s terminal and to create new SPNs.

Note

A keytab file is a credential that must be handled in a secure manner. Ensure that the appropriate precautions are taken when storing or copying a keytab file.

Unix Kerberos KDC (MIT or Heimdal)

The following steps use the kadmin command-line interface to create an SPN and keytab file on a Linux/Unix-based KDC server. Refer to the kadmin documentation for more information.

Run the following command to create the SPN for SingleStore, replacing host.domain.com with the fully-qualified domain name for the host.

kadmin -q "addprinc -randkey memsql/host.domain.com"

You can verify that the SPN was created successfully by running the following getprinc command.

kadmin -q "getprinc memsql/host.domain.com"

After the SingleStore SPN has been created, create the keytab file. Run the following command, replacing /path/to/memsql.keytab with the desired output path, and host.domain.com with the fully-qualified domain name for the host.

kadmin -q "ktadd -k /path/to/memsql.keytab memsql/host.domain.com"

Note the output path for the keytab file, as you will need to copy it to SingleStore aggregator nodes in future steps.

You can verify that the keytab file was created successfully by running the ktutil command.

ktutil

At the ktutil prompt, enter the path to the keytab file you just created and list its contents.

ktutil: read_kt /path/to/memsql.keytab
ktutil: list

If the keytab file was successfully added, output similar to the following will be displayed.

slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3          memsql/host.domain.com@DOMAIN.COM
   2    3          memsql/host.domain.com@DOMAIN.COM

Note the Key Version Number (KVNO) value. If you create a new keytab file in the future, the encryption keys stored in the older keytab file will be invalidated. You can use this KVNO value to compare an older and newer keytab file for versioning purposes.

Windows Active Directory KDC

The following steps use ktpass.exe, a command-line tool for Windows versions configured with Active Directory Domain Services (AD DS). When ktpass.exe is run with the appropriate parameters, it generates a keytab file that maps an existing Active Directory user principal name (UPN) to a SingleStore service principal name (SPN) and allows Kerberos-authenticated users to connect to the cluster. Refer to the ktpass.exe documentation for more information.

Run the following command in a new command-line window with Administrator permissions, replacing any placeholder values with your own.

ktpass.exe /princ memsql/host.domain.com@DOMAIN.COM /mapuser memsqluser /pass +rndpass /out memsql.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set

where:

  • host.domain.com@DOMAIN.com is the fully-qualified domain name for the host

  • memsqluser is the name of the Active Directory user object to bind with the SingleStore SPN

Last modified: April 26, 2023

Was this article helpful?