Support Questions

Find answers, ask questions, and share your expertise

Kerberos Setup on HDP 2.6

avatar

Hi,

I want to setup kerberos on HDP 2.6. i have never done this before. Can anyone share the step by step commands/procedure on how to go about it? i am totally new to kerberos. i am using Centos.

1 ACCEPTED SOLUTION

avatar
Master Mentor

Assumption

REALM=GOLD.COM
REALM Password =welcome1
KDC_HOST =KDC_SERVER_FQDN

Install kerberos package

yum install -y krb5-server krb5-libs krb5-workstation

Edit Server Configuration Files

The configuration files for the server are located in the directory /var/kerberos/krb5kdc edit the 2 files

  • kdc.conf
  • kadm5.acl
  • The conf file is the server configuration and the acl file, well the ACL. The ACL grants all privileges to anyone one with the admin role. Change the Kerberos GOLD.COM realm
  • cd /var/kerberos/krb5kdc/
    vi kadm5.acl replace the REALM after the @ with the below
    
    */admin@GOLD.COM      *
    

Edit the kdc.conf

    [kdcdefaults]
    kdc_ports = 88
    kdc_tcp_ports = 88

    [realms]
    GOLD.COM = {
    #master_key_type = aes256-cts
    acl_file = /var/kerberos/krb5kdc/kadm5.acl
    dict_file = /usr/share/dict/words
    admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
    supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
    }

Edit the Client Configuration

Update the krb.conf on the KDC server copy this file to all the host in the cluster in the below directory /etc/krb5.conf

vi /etc/krb5.conf

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_realm = GOLD.COM
default_ccache_name = KEYRING:persistent:%{uid}

[realms]
GOLD.COM = {
kdc = KDC_SERVER_FQDN
admin_server = KDC_SERVER_FQDN
}

[domain_realm]
.gold.com = GOLD.COM
gold.com = GOLD.COM

Create the DC database

When creating the KDC database we will need an entropy pool of random data

sudo kdb5_util create -s -r GOLD.COM 

Loading random data 

Initializing database '/var/kerberos/krb5kdc/principal' for realm 'GOLD.COM', 

master key name 'K/M@GOLD.COM' 

You will be prompted for the database Master Password. It is important that you NOT FORGET this password.Enter KDC database master key: welcome1 

Re-enter KDC database master key to verify: welcome1

Start and Enable Kerberos

Start and enable the two services ensure you run status command to validate that kadmin is running

# sudo systemctl start krb5kdc kadmin
# sudo systemctl enable krb5kdc kadmin
Created symlink from /etc/systemd/system/multi-user.target.wants/krb5kdc.service to /usr/lib/systemd/system/krb5kdc.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/kadmin.service to /usr/lib/systemd/system/kadmin.service.

Check the Principals

# sudo kadmin.local
Authenticating as principal root/admin@GOLD.COM with password.
kadmin.local:  listprincs
K/M@GOLD.COM
kadmin/admin@GOLD.COM
kadmin/changepw@GOLD.COM
kadmin/KDC_SERVER_FQDN@GOLD.COM
kiprop/KDC_SERVER_FQDN@GOLD.COM
krbtgt/UPUTEST.CH@UPUTEST.CH
kadmin.local:

Must create a root principal for kerberization

kadmin.local:  addprinc root/admin
WARNING: no policy specified for root/admin@GOLD.COM; defaulting to no policy
Enter password for principal "root/admin@GOLD.COM":
Re-enter password for principal "root/admin@GOLD.COM":
Principal "root/admin@GOLD.COM" created.

Install kerberos Client package

on tall the hosts in the cluster install the client

yum install -y krb5-libs krb5-workstation

This will deliver the necessary files copy the krb5.conf from the KDC server to all the client hosts

Invoke kerberos tool in Ambari

When running the kerberization tool in Ambari use

root/admin@GOLD.COM password welcome1

Follow the instructions take care that you installed JCE on the KDC server

View solution in original post

22 REPLIES 22

avatar
Master Mentor

@Vishal Gupta

Experience is the best teacher, its always good to follow the official documentation I have never failed to to kerberize because I stick to the document. The setup of the KDC and KDC clients is key to successfully kerberize and unkerberize a HDP cluster. Remember to document always 🙂
If my helped you then,you can accept and close this thread.

avatar

Ambari doesn't have mechanism to install KDC and deploy kerberos set up like cloudera manager ?

Appreciate if someone provide glimpse on this ?

avatar
Master Mentor

@Vishal Gupta

I don't think Cloudera Manager does install the KDC and the client automatically. Whether you are using Cloudera or Hortonworks you will first need to have a working KDC server(krb5-server) and Kerberos clients (krb5-workstation, krb5-libs) and realm setup in both cases you will either use the CM or Ambari Kerberos wizard.

Having said that I provided a walkthrough to help you set up Kerberos on HDP, and consequent questions should be opened as new threads this revived quest dates from August 2017! 🙂

It will be great if you can marked this HCC thread as Answered by clicking on the "Accept" Button. That way other HCC users can quickly find the solution when they encounter the same issue.

HTH

avatar
Explorer

@Geoffrey Shelton OkotCan my KDC server and AD be same?I donot fine HDP documentation straightforward with clear instructions for enabling kerberos with AD.

avatar
Contributor

@Geoffrey Shelton Okot , the official documentation does not list the steps of installing kerberos clients and propagating krb5.conf to all the nodes. Does this mean Ambari tool will propagate krb5.conf and install krb5-workstation for me? I know using Cloudera Manager I have to set up clients as well which makes absolutely perfect sense. I just wanted to know for sure before I execute the wizard.

avatar
Master Mentor

@Alex Goron

Unfortunately, Ambari also doesn't push the krb5.conf, you need the install the Kerberos client on all the client nodes this will deliver the krb5.conf which you will need to modify using the correct REALM name and KDC hostname

Server install

yum install krb5-server krb5-libs krb5-workstation

KDC server package:

krb5-server
Admin package: krb5-libs 

Client install

yum install  krb5-workstation

Client package:

krb5-workstation


Configuration Files:

/var/kerberos/krb5kdc/kdc.conf {Present ONLY on server}
/var/kerberos/krb5kdc/kadm5.acl {Present ONLY on server}
/etc/krb5.conf {Present both server/client}

After editing the above files then you can run the Ambari Kerberos tool it should run successfully



avatar
Contributor

Thanks a lot @Geoffrey Shelton Okot! Makes perfect sense to me.

avatar
Master Mentor

@Alex Goron

Great then if that answered your question then can you take some time and "Accept" so that other members can reference it.

avatar
Contributor

@Geoffrey Shelton Okot , I would love to do so, but I can not see that "Accept" button ...

Alex

avatar
Master Mentor

@Alex Goron

Here you go

93025-accept.jpg