Tableau Server (Linux) Notes
Last Updated: August 8, 2018
Linux Installation
Look at tableau docs
Kerberos
Create kerberos keys for SSO and GSSAPI Binding
ktutil
addent -password -p [email protected] -k 1
wkt tableau.keytab
q
Test with:
kinit [email protected] -k -t tableau.keytab
Domain Name needs to be in all caps!
Creating keytab with a custom service pricipal
Prerequisites: Requires kadmin on linux host
- Create a KDC database using the
sudo krb5_newrealmcommand. - Start the KDC and Kerberos admin servers using these commands:
sudo /etc/init.d/krb5-kdc restartsudo /etc/init.d/krb5-admin-server restart
- Add Principals and create Keys.
sudo kadmin.localaddprinc -randkey HTTP/[email protected]ktadd HTTP/[email protected]
I made two keys, one for SSO using the HTTP service principal and one for GSSAPI (AD sync) with just [email protected] as the principal
Enable Kerberos authentication on Tableau Server
- Manually create the directory:
/var/opt/tableau/tableau_server/keytab - Copy your
tableau.keytabfile to this directory and rename it tokerberos.keytab(must be that filename) - Run
tsm authentication kerberos enable - Run
tsm pending-changes apply
Sample krb5.conf
[libdefaults]
default_realm = TECHSTORMPC.NET
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos.
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
TECHSTORMPC.NET = {
kdc = dc.techstormpc.net
admin_server = dc.techstormpc.net
default_domain = techstormpc.net
}
[domain_realm]
.techstormpc.net = TECHSTORMPC.NET
techstormpc.net = TECHSTORMPC.NET
[login]
krb4_convert = true
krb4_get_tickets = false