Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

HDP Kerberos enable through Ambari

avatar
Contributor

Hi I have 6 node cluster setup as HDP 2.5 and ambari 2.4

Need to enable Kerberos Security:

Steps Did In ambari server :

1.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.1/bk_security/content/_enabling_kerberos_secu...

2. Yum install Kerberos and clients in all nodes

3. check /etc/krb.conf and checked on all nodes same files and realms

4. checked acl.file and edited and saved and restarted Kdc again

5. Enabling kerberos in ambari it was throwing error in Test Clients:

Error message: An internal system exception occurred: The 'krb5-conf' configuration is not available

500 status codereceived on POST method for API: /api/v1/clusters/Cluster/requests

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Sam Red


On the KDC server which can be the same as the Ambari server or any server in the cluster install both rpm's on all

# yum install -y krb5-server krb5-workstation  

Edit Server Configuration Files

cd  /var/kerberos/krb5kdc 

Edit these 2 files

kdc.conf
kadm5.acl 

Mine are save

# cat kadm5.acl 
*/admin@TEST.COM      * 

# cat kdc.conf

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
[realms]
 TEST.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal 

Edit the Client Configuration

This file should be available on the KDC server edit it and copy it to the same path to all the other nodes

# cat /etc/krb5.conf

[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = TEST.COM
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_ccache_name = /tmp/krb5cc_%{uid}
  #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
  #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
  test.com = TEST.COM
  .test.com = TEST.COM
[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log
[realms]
  TEST.COM = {
    admin_server = kdc.TEST.com
    kdc = kdc.test.com
  }
 } 

Note the FQDN

Create the KDC Database

# sudo kdb5_util create -s -r TEST.COM 

Confirm password twice Start and Enable Kerberos

# systemctl start krb5kdc kadmin 

Create Principals

# kadmin.local kadmin.local: addprinc root/admin 

quit

# sudo systemctl start krb5kdc kadmin 
# sudo systemctl enable krb5kdc kadmin 

On the Ambari UI enable Kerberos

root/admin@TEST.CH 

password {password_created_earlier}

This should take you through the procedure. Make sure the KDC is up and running !

View solution in original post

19 REPLIES 19

avatar
Master Mentor

@Sam Red

Did you create an admin principal? Are the krb5.conf file in /etc/krb5.conf? I just did kerberize a HDP 2.6 an hour ago without any issue what is the OS?

We can quickly resolve that !

avatar
Contributor

@Geoffrey Shelton Okot Yes I did created principal as admin/admin@host.com and OS is centos 7

avatar
Contributor

@Geoffrey Shelton Okot If you can share step by step that much heplful to get done.

avatar
Master Mentor

@Sam Red


On the KDC server which can be the same as the Ambari server or any server in the cluster install both rpm's on all

# yum install -y krb5-server krb5-workstation  

Edit Server Configuration Files

cd  /var/kerberos/krb5kdc 

Edit these 2 files

kdc.conf
kadm5.acl 

Mine are save

# cat kadm5.acl 
*/admin@TEST.COM      * 

# cat kdc.conf

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
[realms]
 TEST.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal 

Edit the Client Configuration

This file should be available on the KDC server edit it and copy it to the same path to all the other nodes

# cat /etc/krb5.conf

[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = TEST.COM
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_ccache_name = /tmp/krb5cc_%{uid}
  #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
  #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
  test.com = TEST.COM
  .test.com = TEST.COM
[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log
[realms]
  TEST.COM = {
    admin_server = kdc.TEST.com
    kdc = kdc.test.com
  }
 } 

Note the FQDN

Create the KDC Database

# sudo kdb5_util create -s -r TEST.COM 

Confirm password twice Start and Enable Kerberos

# systemctl start krb5kdc kadmin 

Create Principals

# kadmin.local kadmin.local: addprinc root/admin 

quit

# sudo systemctl start krb5kdc kadmin 
# sudo systemctl enable krb5kdc kadmin 

On the Ambari UI enable Kerberos

root/admin@TEST.CH 

password {password_created_earlier}

This should take you through the procedure. Make sure the KDC is up and running !

avatar
Contributor

@Geoffrey Shelton Okot followed all these steps when i am starting Krb5kdc and kadmin I am Getting error like these.

Job for krb5kdc.service failed because the control process exited with error code. See "systemctl status krb5kdc.service" and "journalctl -xe" for details.

avatar
Master Mentor

@Sam Red

There you go !

avatar
Contributor

Thank You.

avatar
Master Mentor

@Sam Red

if you are root the remove the sudo !

What is the output of

# systemctl status krb5kdc.service

The result should be

# systemctl status krb5kdc.service
● krb5kdc.service - Kerberos 5 KDC
   Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 2017-08-24 15:30:12 CEST; 1 day 4h ago
 Main PID: 23781 (krb5kdc)
   CGroup: /system.slice/krb5kdc.service
           └─23781 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid
Aug 24 15:30:12 bombay.test.com systemd[1]: Starting Kerberos 5 KDC...
Aug 24 15:30:12 bombay.test.com systemd[1]: Started Kerberos 5 KDC

Please let me know

avatar
Contributor

@Geoffrey Shelton Okot Thank you so much for your help. These are the configs i specified On ambari server

Configs here :

kdc.conf

[kdcdefaults]

kdc_ports = 88

kdc_tcp_ports = 88 [realms]

RELAY.COM = { #master_key_type = aes256-cts

acl_file = /var/kerberos/krb5kdc/kadm5.acl

dict_file = /usr/share/dict/words

admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab


cat kadm5.acl

* /admin@RELAY.COM *


[libdefaults]

renew_lifetime = 7d

forwardable = true default_realm = RELAY.COM

ticket_lifetime = 24h

dns_lookup_realm = false

dns_lookup_kdc = false

default_ccache_name = /tmp/krb5cc_%{uid}

#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

[logging] default = FILE:/var/log/krb5kdc.log

admin_server = FILE:/var/log/kadmind.log

kdc = FILE:/var/log/krb5kdc.log

[realms]

RELAY.COM =

{ admin_server = RELAY.COM

kdc = IP

kdc = IP

kdc = IP

kdc = IP

kdc = IP

kdc = IP

}

krb5kdc.service - Kerberos 5 KDC

Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: disabled)

Active: failed (Result: exit-code) since Fri 2017-08-25 10:53:48 PDT; 3s ago

Process: 22602 ExecStart=/usr/sbin/krb5kdc -P /var/run/krb5kdc.pid $KRB5KDC_ARGS (code=exited, status=1/FAILURE)

Main PID: 1911 (code=exited, status=0/SUCCESS)

Aug 25 10:53:48 systemd[1]: Starting Kerberos 5 KDC...

Aug 25 10:53:48 krb5kdc[22602]: krb5kdc: cannot initialize realm RELAY.COM - see log file for details

Aug 25 10:53:48 : krb5kdc.service: control process exited, code=exited status=1

Aug 25 10:53:48: Failed to start Kerberos 5 KDC.

Aug 25 10:53:48 Unit krb5kdc.service entered failed state.

Aug 25 10:53:48 krb5kdc.service failed.