Open Distro authentication via Kerberos not working

I installed the Open Distro on a Centos Machine. I sent a curl request to verify that Elasticsearch is up and running and I got the below response.

[root@centos ~]# curl -XGET -u 'admin:admin' --insecure                                                              
  "name" : "node-1",
  "cluster_name" : "my-application",
  "cluster_uuid" : "j4ezsO0sRiKoT4tW77-Sjg",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "oss",
    "build_type" : "rpm",
    "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  "tagline" : "You Know, for Search"

after that, I configured Kerberos on Open Distro so that Open Distro can validate the ticket and grant access to the user.

In /etc/elasticsearch/elasticsearch.yml

opendistro_security.kerberos.krb5_filepath: '/etc/krb5.conf'
opendistro_security.kerberos.acceptor_keytab_filepath: 'centos.keytab'
opendistro_security.kerberos.acceptor_principal: 'HTTP/'

In /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml

        http_enabled: true
        transport_enabled: true
        order: 1
          type: kerberos
          challenge: true
            # If true a lot of kerberos/security related debugging output will be logged to standard out
            krb_debug: true
            # If true then the realm will be stripped from the user name
            strip_realm_from_principal: true
          type: noop
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 2
          type: basic
          challenge: false
          type: intern

In /etc/krb5.conf

[root@centos ~]# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 #pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 default_realm = MYTESTINGAPP.ML
 #default_ccache_name = KEYRING:persistent:%{uid}

  kdc =
  admin_server =


to validate the krb5.conf I used below command

[root@centos ~]# kinit centos@MYTESTINGAPP.ML
Password for centos@MYTESTINGAPP.ML:

I used klist command to validate the ticket

[root@centos ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: centos@MYTESTINGAPP.ML

Valid starting       Expires              Service principal
02/16/2022 05:59:33  02/16/2022 15:59:33  krbtgt/MYTESTINGAPP.ML@MYTESTINGAPP.ML
        renew until 02/23/2022 05:59:21

I destroy the cached ticket and I created a keytab file /etc/elasticsearch/centos.keytab using the below command

  addent -password -p centos@MYTESTINGAPP.ML -k 1 -e arcfour-hmac
  - enter password for username -
  write_kt /etc/elasticsearch/centos.keytab

I used below command to validate the keytab file

[root@centos ~]# kinit centos@MYTESTINGAPP.ML -k -t /etc/elasticsearch/centos.keytab

I restarted the elasticsearch service and sent some curl requests as below

[root@centos ~]# curl -XGET --insecure

[root@centos ~]# curl -XGET -u 'centos:Welcome@123' --insecure

[root@centos ~]# curl --negotiate -u : -XGET -u 'centos:Welcome@123' --insecure

Note:- I am using Active Directory with Kerberos to authenticate the Open Distro.

What I should do so that Kerberos authentication will start? Where I am doing mistakes?


@kuldeep Could you clarify where is the Kerberos server? Is it on CentOS or AD?
If MS AD, then what version of MS are you running?

It is MS AD and version is Microsoft Hyper-V Server 2016

@kuldeep I’m curious why you are doing an install of Open Distro instead of OpenSearch.

If there are reasons you’re unable to migrate over to OpenSearch, we would appreciate your feedback in this survey.

@kris No no, I didn’t try OpenSearch. Actually, the Client wants to migrate over OpenDistro so I started POC on it.

@kuldeep to ensure you are running software that receives timely security patches, we would recommend migrating from Open Distro to OpenSearch

I had the same problem, tried both open distro and opensearch, is this problem solved? thanks.

Hello @Jowen - welcome to the OpenSearch community! Curious, is this a new install of Open Distro? We would recommend going to OpenSearch instead as it will be what moves forward in development.

I’m not sure - @pablo @Anthony - would you know?

@kris Yes, It is a new install of Open Distro. After many failed open distro attempts, I installed OpenSearch-1.3.4, but kerberos still doesn’t work, here is my configuration:

1. opensearch.yml

I don’t know where the configuration is wrong, thanks.

2. {opensearch}/plugins/opensearch-security/securityconfig/config.yml

3. {opensearch}/config/