Configuring Kerberos on VAST Cluster

  • Updated on Jan 31, 2026
  • Published on Jan 27, 2026
  • 5 minute(s) read
Prev Next

Configuring a Kerberos Provider using the VAST Web UI

The steps below add a Kerberos provider to the cluster, with a principal service (e.g. NFSv4).

  1. On the VAST Web UI, navigate to the User Management page, and select the VAST Providers tab.

  2. Click Add New Provider (in the upper right), and select Kerberos.

  3. In the General section of the form, complete these fields:

    Realm

    Enter the realm for the Kerberos provider. A realm is the administrative domain that defines the boundary for Kerberos authentication. It typically maps to an organization or network and includes a Key Distribution Center (KDC) that manages all principals (users, services) within it.

    For example, in a company with domain example.com, the Kerberos realm is often written in uppercase as EXAMPLE.COM. All authentications for users and services like alice@EXAMPLE.COM or host/server.example.com@EXAMPLE.COM are handled by the KDC for that realm.

    Service Principals

    Enter a list of service principals (for NFS) in the Kerberos realm. These are used by NFS clients in the authentication process. For example, nfs/vippool.mydomain.com, where vippool represents a CNode in a cluster (and whose DNS name resolves to the cluster).

    Enter a service principal, and click Add Service Principal. The principal appears in the list. Repeat for additional principals.

  4. Click Create Kerberos and Configure. This creates the Kerberos provider in VMS, and enables configuration settings to be set in the following tabs.

  5. Optionally, in the Kadmin section, enter a list of IP addresses or FQDNs for the Kerberos kadmin server. Enter each address, and then then click Add. The address appears in the list. Repeat for additional addresses, up to five addresses. This step is only necessary if you are manually generating a keytab files (step Step 7.1, below).

  6. In the Key Distribution Center (KDC) List section, enter a list of IP addresses or FQDNs for the KDC. Enter each address, and  then click Add. Repeat for additional addresses, up to ten addresses.

  7. In the Keytab File section, you can manually generate a keytab file for principals defined in the General section, using a username and password (of the Kerberos admin), or upload an existing keytab file to VMS.

    1. Select Generate Keytab File to generate a keytab file manually. Enter the username and password (for the Kerberos admin), then click Generate Keytab File. A keytab file is generated for the service principals listed in the General section.

    2. Alternatively, select Upload Keytab File. Drag a keytab file over the Keytab File field, or click on it to browse to a file on your computer. Click Upload_symbol.png to upload the file. See below, Creating a Keytab File for the Kerberos Provider, for details on creating a keytab file.

  8. Click Save Kerberos.

Enabling or Disabling the Kerberos Provider

When you create a new Kerberos provider on VAST Cluster, it is initially disabled.

Follow these steps to enable the provider.

  1. On the VAST Web UI, navigate to the User Management page, and select the Kerberos tab.

  2. Right-click on the provider to be enabled, and select Enable. The status of the provider in the list changes to Enabled.

Follow these steps to disable the provider.

  1. On the VAST Web UI, navigate to the User Management page, and select the Kerberos tab.

  2. Right-click on the provider to be disabled, and select Disable. The status of the provider in the list changes to Disabled.

Modifying Details for a Kerberos Provider Using the VAST Web UI

  1. On the VAST Web UI, navigate to the User Management page, and select the Kerberos tab.

  2. Right-click on the Kerberos provider in the list, and select Edit.

  3. In the General tab, you can add additional service principals, or remove them from the list. You cannot change the Realm. To remove a principal, right-click on it and select Remove.

  4. In the Kadmin server tab, you can add additional addresses, or remove existing ones. To remove an address, select it in the list and click trash-symbol.png.

  5. In the Key Distribution Center (KDC) List tab, you can add additional addresses, or remove existing ones. To remove an address, select it in the list and click trash-symbol.png.

  6. In the Keytab tab, you can generate or upload additional keytab files. The Generate option regenerates the keytab file for the same service principals defined in the General section. The Upload Keytab File option uploads a file, with service principals. Entries for existing service principals are replaced by the entry in the file.

  7. After making changes to the provider, click Save Kerberos.

Removing a Kerberos Provider Using the VAST Web UI

In order to remove a Kerberos provider, all tenants associated with it must first be removed from it. Only then can it be deleted.

  1. On the VAST Web UI, navigate to the User Management page, and select the Kerberos tab.

  2. Right-click on the Kerberos provider in the list, and select Remove.

Configuring Kerberos with VAST Local Providers

If a local provider is associated with a tenant, the users in the local provider should be added as user principals in Kerberos (using kadmin).

Configuring Kerberos with LDAP

If an LDAP provider is associated with a tenant, the LDAP domain should be the same as the Kerberos realm. Users in the LDAP provider should be added as user principals in Kerberos.

Associating Kerberos Providers with Tenants

You can associate a Kerberos provider with tenants on the cluster, as with any other local provider. This is done in the Tenants tab of the Elements page.

Creating a Keytab File for the Kerberos Provider

You can generate keytab files for the Kerberos provider using external utilities, depending on the flavor of Kerberos provider you are using.

For MIT Kerberos, use kadmin as follows:

$ kadmin -p <admin> ktadd -k <keytab> <principal>

where admin are the credentials for the admin user on the Kerberos provider, and principal is the principal added to the keytab file.

For Heimdal Kerberos, the form would be like this:

# kadmin -p <admin> ext_keytab -k <keytab> <principal>

For FreeIPA, use:

$ kinit <admin>
Password for <admin>
$ ipa-getkeytab -k <keytab> -p <principal>

where admin is the admin user on the Kerberos provider, and principal is the principal added to the keytab file.

Configuring Kerberos using the VAST CLI

To configure a Kerberos provider using the VAST CLI, use these commands:

kerberos create

Add a new Kerberos provider.

kerberos modify

Modify an existing Kerberos provider.

kerberos delete

Remove a Kerberos provider.

kerberos show

Show details for a Kerberos provider.

To associate a Kerberos provider with cluster tenants, using the VAST CLI, use these commands:

tenant create

Create a new tenant and associate it with a Kerberos provider.

tenant modify

Associate an existing tenant with a Kerberos provider.

Related articles