You may also get some information from how we set up Kerberos at CERN at http://openstack-in-production.blogspot.fr/2014/10/kerberos-and-single-sign-on-with.html From my understanding, the only connection is between Keystone and KDC. There is a standard Keystone token issues based off the Kerberos ticket and the rest is the same as if a password had been supplied. Tim From: Sanket Lawangare [mailto:sanket.lawangare at gmail.com] Sent: 24 February 2015 19:53 To: openstack-dev at lists.openstack.org Subject: [openstack-dev] Kerberos in OpenStack Hello Everyone, My name is Sanket Lawangare. I am a graduate Student studying at The University of Texas, at San Antonio. For my Master’s Thesis I am working on the Identity component of OpenStack. My research is to investigate external authentication with Identity(keystone) using Kerberos. Based on reading Jammie lennox's Blogs on Kerberos implementation in OpenStack and my understanding of Kerberos I have come up with a figure explaining possible interaction of KDC with the OpenStack client, keystone and the OpenStack services(Nova, Cinder, Swift...). These are the Blogs - http://www.jamielennox.net/blog/2015/02/12/step-by-step-kerberized-keystone/ http://www.jamielennox.net/blog/2013/10/22/keystone-token-binding/ I am trying to understand the working of Kerberos in OpenStack. Please click this link to view the figure: https://docs.google.com/drawings/d/1re0lNbiMDTbnkrqGMjLq6oNoBtR_GA0x7NWacf0Ulbs/edit?usp=sharing P.S. - [The steps in this figure are self explanatory the basic understanding of Kerberos is expected] Based on the figure i had couple of questions: 1. Is Nova or other services registered with the KDC? 2. What does keystone do with Kerberos ticket/credentials? Does Keystone authenticates the users and gives them direct access to other services such as Nova, Swift etc.. 3. After receiving the Ticket from the KDC does keystone embed some kerberos credential information in the token? 4. What information does the service (e.g.Nova) see in the Ticket and the token (Does the token have some kerberos info or some customized info inside it?). If you could share your insights and guide me on this. I would be really appreciate it. Thank you all for your time. Regards, Sanket Lawangare -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150224/4fcbd4ff/attachment.html>