Support Questions

ryanoberoi9999 · ‎05-22-2017

Hi,

I want to setup kerberos on HDP 2.6. i have never done this before. Can anyone share the step by step commands/procedure on how to go about it? i am totally new to kerberos. i am using Centos.

Shelton · ‎08-09-2017

Assumption

REALM=GOLD.COM
REALM Password =welcome1
KDC_HOST =KDC_SERVER_FQDN

Install kerberos package

yum install -y krb5-server krb5-libs krb5-workstation

Edit Server Configuration Files

The configuration files for the server are located in the directory /var/kerberos/krb5kdc edit the 2 files

kdc.conf
kadm5.acl
The conf file is the server configuration and the acl file, well the ACL. The ACL grants all privileges to anyone one with the admin role. Change the Kerberos GOLD.COM realm

cd /var/kerberos/krb5kdc/
vi kadm5.acl replace the REALM after the @ with the below

*/admin@GOLD.COM      *

Edit the kdc.conf

    [kdcdefaults]
    kdc_ports = 88
    kdc_tcp_ports = 88

    [realms]
    GOLD.COM = {
    #master_key_type = aes256-cts
    acl_file = /var/kerberos/krb5kdc/kadm5.acl
    dict_file = /usr/share/dict/words
    admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
    supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
    }

Edit the Client Configuration

Update the krb.conf on the KDC server copy this file to all the host in the cluster in the below directory /etc/krb5.conf

vi /etc/krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = GOLD.COM
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
GOLD.COM = {
kdc = KDC_SERVER_FQDN
admin_server = KDC_SERVER_FQDN
}

[domain_realm]
.gold.com = GOLD.COM
gold.com = GOLD.COM

Create the DC database

When creating the KDC database we will need an entropy pool of random data

sudo kdb5_util create -s -r GOLD.COM 

Loading random data 

Initializing database '/var/kerberos/krb5kdc/principal' for realm 'GOLD.COM', 

master key name 'K/M@GOLD.COM' 

You will be prompted for the database Master Password. It is important that you NOT FORGET this password.Enter KDC database master key: welcome1 

Re-enter KDC database master key to verify: welcome1

Start and Enable Kerberos

Start and enable the two services ensure you run status command to validate that kadmin is running

# sudo systemctl start krb5kdc kadmin
# sudo systemctl enable krb5kdc kadmin
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.

Check the Principals

# sudo kadmin.local
Authenticating as principal root/admin@GOLD.COM with password.
kadmin.local:  listprincs
K/M@GOLD.COM
kadmin/admin@GOLD.COM
kadmin/changepw@GOLD.COM
kadmin/KDC_SERVER_FQDN@GOLD.COM
kiprop/KDC_SERVER_FQDN@GOLD.COM
krbtgt/UPUTEST.CH@UPUTEST.CH
kadmin.local:

Must create a root principal for kerberization

kadmin.local:  addprinc root/admin
WARNING: no policy specified for root/admin@GOLD.COM; defaulting to no policy
Enter password for principal "root/admin@GOLD.COM":
Re-enter password for principal "root/admin@GOLD.COM":
Principal "root/admin@GOLD.COM" created.

Install kerberos Client package

on tall the hosts in the cluster install the client

yum install -y krb5-libs krb5-workstation

This will deliver the necessary files copy the krb5.conf from the KDC server to all the client hosts

Invoke kerberos tool in Ambari

When running the kerberization tool in Ambari use

root/admin@GOLD.COM password welcome1

Follow the instructions take care that you installed JCE on the KDC server

View solution in original post

jsensharma · ‎05-22-2017

@Rishabh Oberoi

Please refer to the following doc to know how to install KDC: http://docs.hortonworks.com/HDPDocuments/Ambari-2.5.0.3/bk_ambari-security/content/optional_install_...

.

Then you can refer to the ambari Doc to know how to setup kerberos: https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.0.3/bk_ambari-security/content/set_up_kerberos_...

.

sgowda · ‎05-22-2017

Hello @Rishabh Oberoi

Please refer to below link

http://docs.hortonworks.com/HDPDocuments/Ambari-2.5.0.3/bk_ambari-security/content/ch_configuring_am...

jsensharma · ‎05-22-2017

@Rishabh Oberoi

For the step by Step instructions the Following Hortonorks Article and Youtube Video will be more useful:

https://community.hortonworks.com/articles/82536/configuring-ambari-and-hadoop-for-kerberos-using-a....

Hortonworks HDP 2.5 Kerberos with Active Directory as the KDC : https://www.youtube.com/watch?v=-HMyEpDJeGg&feature=youtu.be

gvishal · ‎08-09-2017

Hello Team, Just wondering if we have an updated documentation for kerberos setup on HDP 2.6. I am mainly interested in the checks we should be doing before starting kerberos setup using Ambari. The challenge using Ambari for kerberos setup is that if it gets stuck then getting cluster back is a nightmare. Even the 'skip' button on Ambari becomes unavailable many times. The cluster all services green on Ambari may not be complete confirmation that cluster is in the good state to start the kerberos installation.

with Manual installation, atleast we know the steps followed and rollback may be a bit easier. Thanks

Shelton · ‎08-09-2017

Assumption

REALM=GOLD.COM
REALM Password =welcome1
KDC_HOST =KDC_SERVER_FQDN

Install kerberos package

yum install -y krb5-server krb5-libs krb5-workstation

Edit Server Configuration Files

The configuration files for the server are located in the directory /var/kerberos/krb5kdc edit the 2 files

kdc.conf
kadm5.acl
The conf file is the server configuration and the acl file, well the ACL. The ACL grants all privileges to anyone one with the admin role. Change the Kerberos GOLD.COM realm

cd /var/kerberos/krb5kdc/
vi kadm5.acl replace the REALM after the @ with the below

*/admin@GOLD.COM      *

Edit the kdc.conf

    [kdcdefaults]
    kdc_ports = 88
    kdc_tcp_ports = 88

    [realms]
    GOLD.COM = {
    #master_key_type = aes256-cts
    acl_file = /var/kerberos/krb5kdc/kadm5.acl
    dict_file = /usr/share/dict/words
    admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
    supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
    }

Edit the Client Configuration

Update the krb.conf on the KDC server copy this file to all the host in the cluster in the below directory /etc/krb5.conf

vi /etc/krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = GOLD.COM
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
GOLD.COM = {
kdc = KDC_SERVER_FQDN
admin_server = KDC_SERVER_FQDN
}

[domain_realm]
.gold.com = GOLD.COM
gold.com = GOLD.COM

Create the DC database

When creating the KDC database we will need an entropy pool of random data

sudo kdb5_util create -s -r GOLD.COM 

Loading random data 

Initializing database '/var/kerberos/krb5kdc/principal' for realm 'GOLD.COM', 

master key name 'K/M@GOLD.COM' 

You will be prompted for the database Master Password. It is important that you NOT FORGET this password.Enter KDC database master key: welcome1 

Re-enter KDC database master key to verify: welcome1

Start and Enable Kerberos

Start and enable the two services ensure you run status command to validate that kadmin is running

# sudo systemctl start krb5kdc kadmin
# sudo systemctl enable krb5kdc kadmin
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.

Check the Principals

# sudo kadmin.local
Authenticating as principal root/admin@GOLD.COM with password.
kadmin.local:  listprincs
K/M@GOLD.COM
kadmin/admin@GOLD.COM
kadmin/changepw@GOLD.COM
kadmin/KDC_SERVER_FQDN@GOLD.COM
kiprop/KDC_SERVER_FQDN@GOLD.COM
krbtgt/UPUTEST.CH@UPUTEST.CH
kadmin.local:

Must create a root principal for kerberization

kadmin.local:  addprinc root/admin
WARNING: no policy specified for root/admin@GOLD.COM; defaulting to no policy
Enter password for principal "root/admin@GOLD.COM":
Re-enter password for principal "root/admin@GOLD.COM":
Principal "root/admin@GOLD.COM" created.

Install kerberos Client package

on tall the hosts in the cluster install the client

yum install -y krb5-libs krb5-workstation

This will deliver the necessary files copy the krb5.conf from the KDC server to all the client hosts

Invoke kerberos tool in Ambari

When running the kerberization tool in Ambari use

root/admin@GOLD.COM password welcome1

Follow the instructions take care that you installed JCE on the KDC server

gvishal · ‎08-10-2017

Hello Geoffrey, Just wondering if you have similar instructions unkerberoize the cluster in case we fail to successfully setup the keberos.

Thanks for the instructions and help.

Shelton · ‎08-10-2017

@Vishal Gupta

Unfortunately the only proper method is going through the Ambari UI.

Make sure you have the KDC credential and ensure the KDc server is accessible and running.

Log in to Ambari Web and Browse to Admin > Kerberos.
Click Disable Kerberos to launch the wizard.
Complete the wizard.
Restart all the HDP components

Official doc

Hope that helps

gvishal · ‎08-10-2017

Hello Geoffrey, I agree. The challenge we face last time is that cluster unkerberization via Ambari get stuck and then doing it manually using the link https://stackoverflow.com/questions/29744821/how-to-disable-hadoop-kerberos help a bit but not completely. We now have to re-initialize the whole cluster and this time, using Ambari it gets setup successfully. Looks like it is important to have a pre-kerberozation check list to make sure that the cluster is in proper state before start of this exercise. Thanks for your time and sharing the knowhow. Appreciate it. Best Regards,

Shelton · ‎08-10-2017

@Vishal Gupta

Experience is the best teacher, its always good to follow the official documentation I have never failed to to kerberize because I stick to the document. The setup of the KDC and KDC clients is key to successfully kerberize and unkerberize a HDP cluster. Remember to document always 🙂
If my helped you then,you can accept and close this thread.

Cloudera Community

Support Questions

Kerberos Setup on HDP 2.6

Install kerberos package

Edit Server Configuration Files

Edit the Client Configuration

Create the DC database

Start and Enable Kerberos

Check the Principals

Install kerberos Client package

Invoke kerberos tool in Ambari

Install kerberos package

Edit Server Configuration Files

Edit the Client Configuration

Create the DC database

Start and Enable Kerberos

Check the Principals

Install kerberos Client package

Invoke kerberos tool in Ambari