question Re: Kerberos with hortonworks stack 18.04 ubuntu in Support Questions

Kerberos with hortonworks stack 18.04 ubuntu

tburke — Fri, 16 Sep 2022 14:06:04 GMT

We have tried several attempts to get the hortonworks platform to work with kerberos using the ambari automated install. the errors are below. any advice to offer is appreciated. Tried to install manually the krb5-user but seems I am getting broken package errors, not sure of that was a good approach afer the automated failed.

2019-01-28 22:35:23,105 - Package['unzip'] {'retry_on_repo_unavailability': False, 'retry_count': 5}
2019-01-28 22:35:23,142 - Skipping installation of existing package unzip
2019-01-28 22:35:23,143 - Package['curl'] {'retry_on_repo_unavailability': False, 'retry_count': 5}
2019-01-28 22:35:23,177 - Skipping installation of existing package curl
2019-01-28 22:35:23,177 - Package['hdp-select'] {'retry_on_repo_unavailability': False, 'retry_count': 5}
2019-01-28 22:35:23,211 - Skipping installation of existing package hdp-select
2019-01-28 22:35:23,214 - The repository with version 3.1.0.0-78 for this command has been marked as resolved. It will be used to report the version of the component which was installed
2019-01-28 22:35:23,218 - Skipping stack-select on KERBEROS because it does not exist in the stack-select package structure.
2019-01-28 22:35:23,347 - Package['krb5-user'] {'retry_on_repo_unavailability': False, 'retry_count': 5}
2019-01-28 22:35:23,384 - Installing package krb5-user ('/usr/bin/apt-get -o Dpkg::Options::=--force-confdef --allow-unauthenticated --assume-yes install krb5-user')

Re: Kerberos with hortonworks stack 18.04 ubuntu

Shelton — Tue, 29 Jan 2019 08:52:11 GMT

@Tom Burke

Setup the Server:

Install Kerberos KDC and Admin Server

$ apt update && apt upgrade -y 
$ apt install krb5-kdc krb5-admin-server krb5-config -y 
$ krb5_newrealm

Locate and edit the krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = TEST.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 TEST.COM = {
  kdc = server.test.com
  admin_server = server.test.com
 }

[domain_realm]
 .test.com = TEST.COM
 test.com = TEST.COM

KDC configuration

Locate and edit the kdc.conf /etc/krb5kdc/kdc.conf.

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
  TEST.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

Create the Kerberos database

This should pick your REALM for the krb5.conf and kdc.conf you will be prompted for a master password keep it preciously it will be useful for the Ambari Kerberos wizard

# /usr/sbin/kdb5_util create -s

output

Loading random data

Initializing database '/var/kerberos/krb5kdc/principal' for realm 'TEST.COM',

master key name 'K/M@TEST.COM'

You will be prompted for the database Master Password.

It is important that you NOT FORGET this password.

Enter KDC database master key:

Re-enter KDC database master key to verify:

Locate and edit the kadm5.acl

Assign Administrator Privilege by editing the kadm5.acl in /var/kerberos/krb5kdc/kadm5.acl replace the EXAMPLE.COM with your realm

*/admin@TEST.COM *

Restart the KDC and kadmin

Set the 2 daemons to auto start at boot else your cluster won't start

# /etc/rc.d/init.d/krb5kdc start 
Starting Kerberos 5 KDC: [ OK ] 
# /etc/rc.d/init.d/kadmin start 
Starting Kerberos 5 Admin Server:

Create a Kerberos Admin

Use the same master password

# kadmin.local -q "addprinc admin/admin"

Output

Authenticating as principal root/admin@TEST.COM with password.

WARNING: no policy specified for admin/admin@TEST.COM; defaulting to no policy

Enter password for principal "admin/admin@TEST.COM":

Re-enter password for principal "admin/admin@TEST.COM":

Principal "admin/admin@TEST.COM" created.

Check if the root principal was created

Go to Ambari and enable Kerberos

See attached Kerberos setup for HDP 3.1 they are quite similar save for the new UI

Re: Kerberos with hortonworks stack 18.04 ubuntu

Shelton — Tue, 29 Jan 2019 08:53:11 GMT

Part 3 of the previous kerberization document

Re: Kerberos with hortonworks stack 18.04 ubuntu

tburke — Tue, 29 Jan 2019 09:50:24 GMT

Thanks Again! I do believe I found my issue. the repos where not complete and accurate on my ubuntu 18.04 builds , so I just copied repos from my xenial 16.04 box and replaced xenial with ubuntu then was able to install lafter update the kerberos client.

here was my final repo for ubuntu 18.04

	deb http://us.archive.ubuntu.com/ubuntu/ bionic main restricted
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main restricted
deb http://us.archive.ubuntu.com/ubuntu/ bionic universe
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates universe
deb http://us.archive.ubuntu.com/ubuntu/ bionic multiverse
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates multiverse
deb http://us.archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu bionic-security main restricted
deb http://security.ubuntu.com/ubuntu bionic-security universe
deb http://security.ubuntu.com/ubuntu bionic-security multiverse