Support Questions

Find answers, ask questions, and share your expertise

How to setup High Availability for kerberos

avatar
Explorer

I want to use High Availability for kerberos.

If anyone have the method, Please give me the infomation.

Regards,

1 ACCEPTED SOLUTION

avatar

@Hiroshi Shidara

Your question is a bit broad. Are you looking to set up a KDC (or Active Directory) for high availability or configure Ambari to connect to replicated KDCs or Active Directories?

If you are looking to set up a replicated KDC, this is probably not the forum for that. However if you are setting up an MIT KDC, you can following docs from https://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html.

From the Ambari side, as of Ambari 2.4.0, you can specify multiple KDC hosts to be set in the Ambari-managed krb5.conf file. Also, you will want to set the master_kdc value for the realm. There is a field in the Enable Kerberos Wizard in Ambari 2.5.1 and above for this (Advanced kerberos-env -> Master KDC host) or you can manually add it to the krb5.conf template under "Advanced krb5-conf".

Whether the krb5,conf file is managed by Ambari or not, the realm specification for your realm should look something like

    EXAMPLE.COM = {
        kdc = kdc1.example.com
        kdc = kdc2.example.com
        master_kdc = kdc1.example.com
    }

View solution in original post

8 REPLIES 8

avatar
Master Mentor

@Hiroshi Shidara

From Ambari 2.4 onwards you can define "kdc_hosts" which can have comma separated values for KDC : https://issues.apache.org/jira/browse/AMBARI-13240

Apache Ambari Docs: https://cwiki.apache.org/confluence/display/AMBARI/Automated+Kerberizaton#AutomatedKerberizaton-kdc_...

.

avatar
Explorer

@Jay SenSharma

Thank you for your infomation and the document.

I refer to it.

avatar

@Hiroshi Shidara

Your question is a bit broad. Are you looking to set up a KDC (or Active Directory) for high availability or configure Ambari to connect to replicated KDCs or Active Directories?

If you are looking to set up a replicated KDC, this is probably not the forum for that. However if you are setting up an MIT KDC, you can following docs from https://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html.

From the Ambari side, as of Ambari 2.4.0, you can specify multiple KDC hosts to be set in the Ambari-managed krb5.conf file. Also, you will want to set the master_kdc value for the realm. There is a field in the Enable Kerberos Wizard in Ambari 2.5.1 and above for this (Advanced kerberos-env -> Master KDC host) or you can manually add it to the krb5.conf template under "Advanced krb5-conf".

Whether the krb5,conf file is managed by Ambari or not, the realm specification for your realm should look something like

    EXAMPLE.COM = {
        kdc = kdc1.example.com
        kdc = kdc2.example.com
        master_kdc = kdc1.example.com
    }

avatar
Explorer

Hi Robert,

Could you please clarify me some doubts.

I have installed kerberos in my cluster and its working fine.

Now i have to enable HA for Kerberos so as per my understanding I should install KDC in another server which acts as Standby and then I should update krb5.conf file on both servers as mentioned above.

Is my understanding correct? if not could you please guide me through the steps to enable HA.


Kind Regards,

Manjunath P N

avatar

@Manjunath P N. I am not sure of all the steps, but they should be outlined here - https://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html.


avatar
Explorer

@Robert Levas

@Jay Sensharma

Thank you for your infomation.

We will try the practice.

avatar
Explorer

HI @All 

Can anyone suggest how to set up Kerberos with high availability?

here are my setup steps :

1. 

sudo cat /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM

# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
rdns = false

[realms]
EXAMPLE.COM = {
kdc = kdc01.example.com
kdc = kdc02.example.com
admin_server = kdc01.example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
[logging]
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmin.log
default = FILE:/var/log/kerberos/krb5lib.log

2. 

sudo cat /etc/krb5kdc/kdc.conf
[kdcdefaults]
kdc_ports = 750,88

[realms]
EXAMPLE.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
#master_key_type = aes256-cts
#supported_enctypes = aes256-cts:normal aes128-cts:normal
default_principal_flags = +preauth
}

3. sudo cat /etc/krb5kdc/kadm5.acl
# This file Is the access control list for krb5 administration.
# When this file is edited run service krb5-admin-server restart to activate
# One common way to set up Kerberos administration is to allow any principal
# ending in /admin is given full administrative rights.
# To enable this, uncomment the following line:
# */admin *
*/admin@EXAMPLE.COM *

kadmin.local: listprincs
K/M@EXAMPLE.COM
host/kdc01.example.com@EXAMPLE.COM
host/kdc02.example.com@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/kdc01.example.com@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
root/admin@EXAMPLE.COM
ubuntu/admin@EXAMPLE.COM
ubuntu@EXAMPLE.COM

Extract the key file for the kdc02 principal, which is the server we are on:

$ sudo kadmin -p ubuntu/admin -q "ktadd host/kdc02.example.com"
create /etc/krb5kdc/kpropd.acl:

host/kdc01.example.com@EXAMPLE.COM
host/kdc02.example.com@EXAMPLE.COM
Now install kpropd daemon, which listens for connections from the kprop utility from the primary KDC:

$ sudo apt install krb5-kpropd
From a terminal on the primary KDC, create a dump file of the principal database:

$ sudo kdb5_util dump /var/lib/krb5kdc/dump
Still on the Primary KDC, extract its key:

$ sudo kadmin.local -q "ktadd host/kdc01.example.com"
On the primary KDC, run the kprop utility to push the database dump made before to the secondary KDC:

$ sudo kprop -r EXAMPLE.COM -f /var/lib/krb5kdc/dump kdc02.example.com
kprop: Key table entry not found while getting initial credentials
this is what i am getting error . please help if anyonce has already did it. i am not using ambari and any other ting normally i am setting up on ec2 instances.

avatar
Community Manager

@thapas, Welcome to the Cloudera Community. As this is an older post, you would have a better chance of receiving a resolution by starting a new thread. This will also be an opportunity to provide details specific to your environment that could aid others in assisting you with a more accurate answer to your question. You can link this thread as a reference in your new post.



Regards,

Vidya Sargur,
Community Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community: