Using the CoreOS host computer’s kerberos data from inside the docker container

The docker containers share the identity (and machine account) of the host. By default, the kerberos credential cache and keytab file are created and stored in the host computer and are not available to the docker containers.

If a kerberos application running inside the docker container needs to use the kerberos credential cache and keytab files of the host machine account, Centrify recommends the following procedure.

To configure a kerberos application in a CoreOS container to use the kerberos files of the host computer account:

  1. By default, the host machine account kerberos credential cache and keytab files are stored in /etc, and it is not good practice to share this directory with the containers. So, we need to use a separate directory to store and share such files.
  2. Set up the following in the CoreOS host computer:
    1. Create a directory /etc/centrify_krb5 for storing the host machine's kerberos credential cache and keytab file.
    2. Set up the following configuration parameters in centrifydc.conf: adclient.krb5.ccache.file: /etc/centrify_krb5/krb5.ccache adclient.krb5.keytab: /etc/centrify_krb5/krb5.keytab

      Note that these two parameters are effective when the host is joined to Active Directory. Please set up these two parameters before you join the CoreOS host to Active Directory.

    3. If there are any host applications or scripts that look for the machine kerberos credential cache and keytab files in /etc, create the following symlinks:

      In -s /etc/centrify_krb5

      /krb5.keytab /etc/krb5.keytab

      ln -s /etc/centrify_krb5

      /krb5.ccache /etc/krb5.ccache

  3. For the docker images:
    1. In the docker run command, specify -v /etc/centrify_krb5:/etc/centrify_krb5 to set up the bind mount mapping
    2. Point the kerberos applications/scripts to use krb5.keytab/krb5.ccache in /etc/centrify_krb5 (intead of /etc)

Please contact Centrify Technical Support if the docker applications cannot use alternate locations for the kerberos credential cache and keytab files.