Community Articles

The preferred configuration for integrating with Active Directory is to use a standalone KDC and create a cross realm trust. I have done several of these deployments on physical hardware. Recently I built a test system on our Open Stack lab cluster using a small instance for the KDC. I followed the instruction in the HDP Security guide for configuring a KDC. When I created the database I noticed that the krb5util create –s command was stalling out. I tried several fixes and it took way too long.

I did some searching on Kerberos and learned how the Kerberos utilities create the random data needed for encryption. The designers of Kerberos wanted a truly random data generator. They decided to base their random data generator on OS activities. There is a kernel parameter /proc/sys/kernel/random/entropy_avail. You can cat this value to see how much entropy your system has available. Since a VM is mostly idle you will get a small value.

RedHat provides a package called rng-tools that you can install with yum.

sudo yum install rng-tools

Then start rngd.

sudo chkconfig rngd on 

sudo service rngd start

You can cat the value of /proc/sys/kernel/random/entropy_avail to see if you have increased the entropy in your VM.

You should have a much higher value and you will see that krb5util create –s complete in a few seconds.

Reference documentation from RedHat.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Se...