About the new FLX location of krb5_filepath

faxmodem · February 16, 2023, 10:01am

The sgctl tool instructs us to move the acceptor_principal and acceptor_keytab from elasticsearch.yml to sgconfig’s sg_authc.yml. However, there is no mention of the krb5_filepath option.
Should that stay in elasticsearch.yml or move too ?

nils · February 16, 2023, 11:28am

You have two options:

Either add kerberos.krb5_config_file: /path/to/the/file to the type: kerberos section in sg_authc.yml. The default is /etc/krb5.conf so you do not specify it if your file is there.
Or, the kind of more standard Java way: Add kerberos.use_system_properties instead to sg_authc.yml and start each node with -Djava.security.krb5.conf=/path/to/the/file.

nils · February 16, 2023, 11:29am

See also Kerberos / SPNEGO | Security for Elasticsearch | Search Guard

Topic		Replies	Views
Kerberos acceptor_principal seems to be ignored Search Guard	10	809	March 12, 2021
elasticsearch.yml "searchguard.ssl.transport.keystore_filepath" java keystore in a subfolder Search Guard	4	1301	October 24, 2017
Start kerberos with Exceptionn: <Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96> Search Guard	4	4218	February 17, 2020
How to Configure SearchGuard on Elasticsearch Cluster Search Guard	2	541	March 7, 2019
Empty file path for searchguard.ssl.transport.pemkey_filepath Search Guard	4	1766	March 6, 2019

About the new FLX location of krb5_filepath

Related topics