question Re: Kerberos authentication from MacOS Monterey to access Hadoop Web UI post cluster Kerberization in Support Questions

Kerberos authentication from MacOS Monterey to access Hadoop Web UI post cluster Kerberization

banshidhar_saho — Tue, 30 May 2023 10:48:32 GMT

Hi Team,

I want to setup kerberos client in my Mac Laptop having MacOS Monterey (version 12.6.5). I have put the krb5.conf file at below paths.
/etc/krb5.conf
/Library/Preferences/edu.mit.kerberos

But when I try to run kinit, i get gelow error.
--
kinit -kt /Users/banshidhar_sahoo/Desktop/POC_KEYTAB/test.headless.keytab test@EXAMPLE.COM
kinit: krb5_get_init_creds: unable to reach any KDC in realm EXAMPLE.COM, tried 0 KDCs
--

I have also set the ENV Variable as below:
KRB5_CONFIG=/etc/krb5.conf

But getting same error while doing kinit.

Can you please suggest how to point to krb5.conf so that it can reach out to the correct kdc server.

Regards,
Banshi.

Re: Kerberos authentication from MacOS Monterey to access Hadoop Web UI post cluster Kerberization

steven-matison — Tue, 30 May 2023 12:25:06 GMT

@banshidhar_saho I am assuming you are not using @EXAMPLE.COM. Have you confirmed that your client (mac os) has network and dns connectivity with the KDC Host?

There's a few things you must do to configure it properly:

Ensure the Kerberos client libraries are installed on that host
Your on-prem krb5.conf file must be copied to the client host.
- The sections [realms] and [domain_realm] are especially important to solve your issue.
Ensure that the hostname of your KDC can be resolved from the client (you can test it with nslookup and/or ping). This must work correctly for Kerberos to work. If there's no integrated DNS you will have to add entries to your /etc/hosts file to ensure the resolution is correct.
Ensure that any firewalls are configured correctly to open ports between your application and your on-prem environment:
- Open all the ports required for the client to communicate with the KDC (typically, ports 88 UDP and 88 TCP)

Re: Kerberos authentication from MacOS Monterey to access Hadoop Web UI post cluster Kerberization

banshidhar_saho — Tue, 30 May 2023 13:44:37 GMT

Hi @steven-matison You are right. I have replaced actual REALM with EXAMPLE.COM while posting.

I have checked connectivity using "nc -zv" and "ping" command. Connectivity is fine.

====

nc -zv <kdc_server_VIP> <KDC_Port>
Connection to xxxxxxxx port xxxxxx [tcp/sqlexec] succeeded!

====

--- <kdc_server_VIP> ping statistics ---
13 packets transmitted, 12 packets received, 7.7% packet loss

====

"kinit: krb5_get_init_creds: unable to reach any KDC in realm EXAMPLE.COM, tried 0 KDCs"

By seeing the above error, I feel it's not able to locate the krb5.conf file.

When we run kinit command, is it referring to /etc directory for krb5.conf file or some other location in Mac machine?

Regards,

Banshi.

Re: Kerberos authentication from MacOS Monterey to access Hadoop Web UI post cluster Kerberization

banshidhar_saho — Wed, 31 May 2023 02:29:48 GMT

Hi @steven-matison

The issue got fixed after making below 2 changes in /etc/krb5.conf file

1. Issue was a include line in my /etc/krb5.conf file which was not valid.

Removed below from /etc/krb5.conf
"includedir /etc/krb5.conf.d/"

2. On macOS the default client does not fall back to TCP. In krb5.conf prefix kdc value with tcp/ to force the client to use TCP if your corporate network blocks UDP.
kdc = tcp/kdc.example.com:88

Regards,

Banshi.