Created on 10-24-2017 10:51 AM - edited 09-16-2022 05:26 AM
I want to use High Availability for kerberos.
If anyone have the method, Please give me the infomation.
Regards,
Created 10-24-2017 12:22 PM
Your question is a bit broad. Are you looking to set up a KDC (or Active Directory) for high availability or configure Ambari to connect to replicated KDCs or Active Directories?
If you are looking to set up a replicated KDC, this is probably not the forum for that. However if you are setting up an MIT KDC, you can following docs from https://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html.
From the Ambari side, as of Ambari 2.4.0, you can specify multiple KDC hosts to be set in the Ambari-managed krb5.conf file. Also, you will want to set the master_kdc value for the realm. There is a field in the Enable Kerberos Wizard in Ambari 2.5.1 and above for this (Advanced kerberos-env -> Master KDC host) or you can manually add it to the krb5.conf template under "Advanced krb5-conf".
Whether the krb5,conf file is managed by Ambari or not, the realm specification for your realm should look something like
EXAMPLE.COM = { kdc = kdc1.example.com kdc = kdc2.example.com master_kdc = kdc1.example.com }
Created 10-24-2017 11:57 AM
From Ambari 2.4 onwards you can define "kdc_hosts" which can have comma separated values for KDC : https://issues.apache.org/jira/browse/AMBARI-13240
Apache Ambari Docs: https://cwiki.apache.org/confluence/display/AMBARI/Automated+Kerberizaton#AutomatedKerberizaton-kdc_...
.
Created 10-25-2017 04:16 AM
Created 10-24-2017 12:22 PM
Your question is a bit broad. Are you looking to set up a KDC (or Active Directory) for high availability or configure Ambari to connect to replicated KDCs or Active Directories?
If you are looking to set up a replicated KDC, this is probably not the forum for that. However if you are setting up an MIT KDC, you can following docs from https://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html.
From the Ambari side, as of Ambari 2.4.0, you can specify multiple KDC hosts to be set in the Ambari-managed krb5.conf file. Also, you will want to set the master_kdc value for the realm. There is a field in the Enable Kerberos Wizard in Ambari 2.5.1 and above for this (Advanced kerberos-env -> Master KDC host) or you can manually add it to the krb5.conf template under "Advanced krb5-conf".
Whether the krb5,conf file is managed by Ambari or not, the realm specification for your realm should look something like
EXAMPLE.COM = { kdc = kdc1.example.com kdc = kdc2.example.com master_kdc = kdc1.example.com }
Created 04-08-2019 09:29 AM
Hi Robert,
Could you please clarify me some doubts.
I have installed kerberos in my cluster and its working fine.
Now i have to enable HA for Kerberos so as per my understanding I should install KDC in another server which acts as Standby and then I should update krb5.conf file on both servers as mentioned above.
Is my understanding correct? if not could you please guide me through the steps to enable HA.
Kind Regards,
Manjunath P N
Created 04-08-2019 12:18 PM
@Manjunath P N. I am not sure of all the steps, but they should be outlined here - https://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html.
Created 10-25-2017 04:14 AM
Created 09-12-2024 01:32 AM
HI @All
Can anyone suggest how to set up Kerberos with high availability?
here are my setup steps :
1.
sudo cat /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
rdns = false
[realms]
EXAMPLE.COM = {
kdc = kdc01.example.com
kdc = kdc02.example.com
admin_server = kdc01.example.com
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log
2.
sudo cat /etc/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
EXAMPLE.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
#master_key_type = aes256-cts
#supported_enctypes = aes256-cts:normal aes128-cts:normal
default_principal_flags = +preauth
}
3. sudo cat /etc/krb5kdc/kadm5.acl
# This file Is the access control list for krb5 administration.
# When this file is edited run service krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin is given full administrative rights.
# To enable this, uncomment the following line:
# */admin *
*/admin@EXAMPLE.COM *
kadmin.local: listprincs
K/M@EXAMPLE.COM
host/kdc01.example.com@EXAMPLE.COM
host/kdc02.example.com@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/kdc01.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
root/admin@EXAMPLE.COM
ubuntu/admin@EXAMPLE.COM
ubuntu@EXAMPLE.COM
Extract the key file for the kdc02 principal, which is the server we are on:
$ sudo kadmin -p ubuntu/admin -q "ktadd host/kdc02.example.com"
create /etc/krb5kdc/kpropd.acl:
host/kdc01.example.com@EXAMPLE.COM
host/kdc02.example.com@EXAMPLE.COM
Now install kpropd daemon, which listens for connections from the kprop utility from the primary KDC:
$ sudo apt install krb5-kpropd
From a terminal on the primary KDC, create a dump file of the principal database:
$ sudo kdb5_util dump /var/lib/krb5kdc/dump
Still on the Primary KDC, extract its key:
$ sudo kadmin.local -q "ktadd host/kdc01.example.com"
On the primary KDC, run the kprop utility to push the database dump made before to the secondary KDC:
$ sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com
kprop: Key table entry not found while getting initial credentials
this is what i am getting error . please help if anyonce has already did it. i am not using ambari and any other ting normally i am setting up on ec2 instances.
Created 09-13-2024 03:11 AM
@thapas, Welcome to the Cloudera Community. As this is an older post, you would have a better chance of receiving a resolution by starting a new thread. This will also be an opportunity to provide details specific to your environment that could aid others in assisting you with a more accurate answer to your question. You can link this thread as a reference in your new post.
Regards,
Vidya Sargur,