Open Distro authentication via Kerberos not working

I installed the Open Distro on a Centos Machine. I sent a curl request to verify that Elasticsearch is up and running and I got the below response.

[root@centos ~]# curl -XGET https://centos.mytestingapp.ml:9200 -u 'admin:admin' --insecure                                                              
{
  "name" : "node-1",
  "cluster_name" : "my-application",
  "cluster_uuid" : "j4ezsO0sRiKoT4tW77-Sjg",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "oss",
    "build_type" : "rpm",
    "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

after that, I configured Kerberos on Open Distro so that Open Distro can validate the ticket and grant access to the user.

In /etc/elasticsearch/elasticsearch.yml

opendistro_security.kerberos.krb5_filepath: '/etc/krb5.conf'
opendistro_security.kerberos.acceptor_keytab_filepath: 'centos.keytab'
opendistro_security.kerberos.acceptor_principal: 'HTTP/centos.mytestingapp.ml'

In /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml

authc:
      kerberos_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: kerberos
          challenge: true
          config:
            # If true a lot of kerberos/security related debugging output will be logged to standard out
            krb_debug: true
            # If true then the realm will be stripped from the user name
            strip_realm_from_principal: true
        authentication_backend:
          type: noop
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 2
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: intern

In /etc/krb5.conf

[root@centos ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 #pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = MYTESTINGAPP.ML
 #default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 MYTESTINGAPP.ML = {
  kdc = mytestingapp.ml
  admin_server = mytestingapp.ml
 }

[domain_realm]
 .mytestingapp.ml = MYTESTINGAPP.ML
 mytestingapp.ml = MYTESTINGAPP.ML

to validate the krb5.conf I used below command

[root@centos ~]# kinit centos@MYTESTINGAPP.ML
Password for centos@MYTESTINGAPP.ML:

I used klist command to validate the ticket

[root@centos ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: centos@MYTESTINGAPP.ML

Valid starting       Expires              Service principal
02/16/2022 05:59:33  02/16/2022 15:59:33  krbtgt/MYTESTINGAPP.ML@MYTESTINGAPP.ML
        renew until 02/23/2022 05:59:21

I destroy the cached ticket and I created a keytab file /etc/elasticsearch/centos.keytab using the below command

ktutil 
  addent -password -p centos@MYTESTINGAPP.ML -k 1 -e arcfour-hmac
  - enter password for username -
  write_kt /etc/elasticsearch/centos.keytab
  exit

I used below command to validate the keytab file

[root@centos ~]# kinit centos@MYTESTINGAPP.ML -k -t /etc/elasticsearch/centos.keytab

I restarted the elasticsearch service and sent some curl requests as below

[root@centos ~]# curl -XGET https://centos.mytestingapp.ml:9200 --insecure
Unauthorized

[root@centos ~]# curl -XGET https://centos.mytestingapp.ml:9200 -u 'centos:Welcome@123' --insecure
Unauthorized

[root@centos ~]# curl --negotiate -u : -XGET https://centos.mytestingapp.ml:9200/ -u 'centos:Welcome@123' --insecure
Unauthorized

Note:- I am using Active Directory with Kerberos to authenticate the Open Distro.

What I should do so that Kerberos authentication will start? Where I am doing mistakes?

Thanks

@kuldeep Could you clarify where is the Kerberos server? Is it on CentOS or AD?
If MS AD, then what version of MS are you running?

It is MS AD and version is Microsoft Hyper-V Server 2016

@kuldeep I’m curious why you are doing an install of Open Distro instead of OpenSearch.

If there are reasons you’re unable to migrate over to OpenSearch, we would appreciate your feedback in this survey.

@kris No no, I didn’t try OpenSearch. Actually, the Client wants to migrate over OpenDistro so I started POC on it.

@kuldeep to ensure you are running software that receives timely security patches, we would recommend migrating from Open Distro to OpenSearch

I had the same problem, tried both open distro and opensearch, is this problem solved? thanks.

Hello @Jowen - welcome to the OpenSearch community! Curious, is this a new install of Open Distro? We would recommend going to OpenSearch instead as it will be what moves forward in development.

I’m not sure - @pablo @Anthony - would you know?

@kris Yes, It is a new install of Open Distro. After many failed open distro attempts, I installed OpenSearch-1.3.4, but kerberos still doesn’t work, here is my configuration:

1. opensearch.yml

image1713×1033 126 KB

I don’t know where the configuration is wrong, thanks.

2. {opensearch}/plugins/opensearch-security/securityconfig/config.yml

image1680×958 80.4 KB

3. {opensearch}/config/

image1125×435 65 KB