Support Questions

Find answers, ask questions, and share your expertise

Kerberos setup on HDP 2.6 prerequisites

avatar
Explorer

@Geoffrey Shelton Okot,

@mthiele,

I want to install Kerberos on Hadoop cluster, i have seen the article

Configuring Ambari and Hadoop for Kerberos using AD as the KDC - Video

https://community.hortonworks.com/questions/103945/kerberos-setup-on-hdp-26.html and this is really helpful.


I have couple of questions on this,

1.Do I need to install Kerberos via command line before starting this task?

2. Because i see krb5.conf file exists in my cluster and kerberos is not enabled, do I need to delete the conf files in all nodes and run"yum install -y krb5-server krb5-libs krb5-workstation" command then carry on the steps provided in the aboe article or i don't need to bother to about and straightaway start from Ambari for enabling process.

3. As per the official doc. https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/configuring_amb_hdp_for... we need to enable Kerberos from Ambari,

Now i need a clear idea 1st do I need to install kerberos using yum command and then start enabling from Ambari.??


Best Regards and Thanks in advance,

Manjunath P N

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Manjunath P N

You will need to Install the KDC server on the KDC host manually on your own as described in https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/_optional_install_a_new...
.

What Ambari will do ?

>>> Once the KDC server is setup completed as per the above doc and it is running fine then you can simply enable the Kerberos from Ambari UI to your cluster. Ambari will be able to install the Kerberos Client packages on all the cluster host (using yum) and it will also setup the "/etc/krb5.conf" on all cluster machines where the kerberos clients need to be setup and will create the keytabs there. https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.2.2/bk_ambari-security/content/launching_the_ke...


The only thing you will need to manually do it to Install and Setup the KDC server .. so that you can tell ambari where your KDC server is running and what are the Kadmin principals, So that ambari can use that to setup kerberos to your cluster.

View solution in original post

4 REPLIES 4

avatar
Master Mentor

@Manjunath P N

You will need to Install the KDC server on the KDC host manually on your own as described in https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/_optional_install_a_new...
.

What Ambari will do ?

>>> Once the KDC server is setup completed as per the above doc and it is running fine then you can simply enable the Kerberos from Ambari UI to your cluster. Ambari will be able to install the Kerberos Client packages on all the cluster host (using yum) and it will also setup the "/etc/krb5.conf" on all cluster machines where the kerberos clients need to be setup and will create the keytabs there. https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.2.2/bk_ambari-security/content/launching_the_ke...


The only thing you will need to manually do it to Install and Setup the KDC server .. so that you can tell ambari where your KDC server is running and what are the Kadmin principals, So that ambari can use that to setup kerberos to your cluster.

avatar
Explorer

Hi @Jay Kumar SenSharma,

Thank you for your inputs.


When I am trying to install Kerberos using "yum install krb5-server krb5-libs krb5-workstation"

it is failing to install with below error messages.

https://fedora-mirror.zerocopy.io/epel/7/x86_64/repodata/repomd.xml: [Errno 14] curl#7 - "Failed connect to fedora-mirror.zerocopy.io:443; Connection refused"

Trying other mirror.

http://mirror.de.leaseweb.net/epel/7/x86_64/repodata/repomd.xml: [Errno 14] curl#7 - "Failed to connect to 2a00:c98:2030:a034::21: Network is unreachable"

Trying other mirror.

http://ftp.uni-stuttgart.de/epel/7/x86_64/repodata/repomd.xml: [Errno 14] curl#7 - "Failed to connect to 2001:7c0:2041:8::112: Network is unreachable"

Trying other mirror.

http://mirror.23media.de/epel/7/x86_64/repodata/repomd.xml: [Errno 14] curl#7 - "Failed to connect to 2a00:f48:1007::80: Network is unreachable"

Trying other mirror.

https://mirror.imt-systems.com/epel/7/x86_64/repodata/repomd.xml: [Errno 14] curl#7 - "Failed to connect to 2a01:7e0:0:201::10:20: Network is unreachable"

Trying other mirror.

^Chttp://fedora.tu-chemnitz.de/pub/linux/fedora-epel/7/x86_64/repodata/repomd.xml: [Errno -1] Error importing repomd.xml for epel: Damaged repomd.xml file

Trying other mirror.

Error list keeps on increasing what could be the reason for this?


Regards,

Manjunath P N

avatar
Master Mentor

@Manjunath P N

The error indicates that you might have some wanted repos inside your "/etc/yum.repos.d" directory. Which are not reachable/accessible.

http://mirror.de.leaseweb.net/epel/7/x86_64/repodata/repomd.xml: [Errno 14] curl#7 - "Failed to connect to 2a00:c98:2030:a034::21: Network is unreachable"
Trying other mirror.

Looks like some internet connectivity issue at your end. Either disable those unwanted repos Or fix the internet issue so that you can access them ...

Example for testing see if this works?

# curl -iLv http://mirror.de.leaseweb.net/epel/7/x86_64/repodata/repomd.xml


If the internet connectivity is fine and there is no network proxy issue then, specially the "epel" repos you can disable. To know mkore about how to disable / enable repos please refer to: https://docs.fedoraproject.org/en-US/Fedora/16/html/System_Administrators_Guide/sec-Managing_Yum_Rep...

avatar
Explorer

@Jay Kumar SenSharma,


Thank you for your inputs.

After running yum install commands the outcome will be krb5.conf file and i am already having the same file structure in my repository so can I directly go ahead with enabling Kerberos via Ambari and does the conf file will accept this?


Regards,

Manjunath P N