Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Kerberos with hortonworks stack 18.04 ubuntu

avatar
author-rank tburke
Explorer

Created on ‎01-28-2019 10:54 PM - edited ‎09-16-2022 07:06 AM

We have tried several attempts to get the hortonworks platform to work with kerberos using the ambari automated install. the errors are below. any advice to offer is appreciated. Tried to install manually the krb5-user but seems I am getting broken package errors, not sure of that was a good approach afer the automated failed.

2019-01-28 22:35:23,105 - Package['unzip'] {'retry_on_repo_unavailability': False, 'retry_count': 5}
2019-01-28 22:35:23,142 - Skipping installation of existing package unzip
2019-01-28 22:35:23,143 - Package['curl'] {'retry_on_repo_unavailability': False, 'retry_count': 5}
2019-01-28 22:35:23,177 - Skipping installation of existing package curl
2019-01-28 22:35:23,177 - Package['hdp-select'] {'retry_on_repo_unavailability': False, 'retry_count': 5}
2019-01-28 22:35:23,211 - Skipping installation of existing package hdp-select
2019-01-28 22:35:23,214 - The repository with version 3.1.0.0-78 for this command has been marked as resolved. It will be used to report the version of the component which was installed
2019-01-28 22:35:23,218 - Skipping stack-select on KERBEROS because it does not exist in the stack-select package structure.
2019-01-28 22:35:23,347 - Package['krb5-user'] {'retry_on_repo_unavailability': False, 'retry_count': 5}
2019-01-28 22:35:23,384 - Installing package krb5-user ('/usr/bin/apt-get -o Dpkg::Options::=--force-confdef --allow-unauthenticated --assume-yes install krb5-user')
3,422 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank tburke
Explorer

Created ‎01-29-2019 01:50 AM

Thanks Again! I do believe I found my issue. the repos where not complete and accurate on my ubuntu 18.04 builds , so I just copied repos from my xenial 16.04 box and replaced xenial with ubuntu then was able to install lafter update the kerberos client.

here was my final repo for ubuntu 18.04 

	deb http://us.archive.ubuntu.com/ubuntu/ bionic main restricted
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main restricted
deb http://us.archive.ubuntu.com/ubuntu/ bionic universe
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates universe
deb http://us.archive.ubuntu.com/ubuntu/ bionic multiverse
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates multiverse
deb http://us.archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu bionic-security main restricted
deb http://security.ubuntu.com/ubuntu bionic-security universe
deb http://security.ubuntu.com/ubuntu bionic-security multiverse

View solution in original post

3,330 Views
0 Kudos
3 REPLIES 3

avatar
author-rank Shelton
Master Mentor

Created ‎01-29-2019 12:52 AM

@Tom Burke

Setup the Server:

Install Kerberos KDC and Admin Server

$ apt update && apt upgrade -y 
$ apt install krb5-kdc krb5-admin-server krb5-config -y 
$ krb5_newrealm

Locate and edit the krb5.conf 

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = TEST.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 TEST.COM = {
  kdc = server.test.com
  admin_server = server.test.com
 }

[domain_realm]
 .test.com = TEST.COM
 test.com = TEST.COM

KDC configuration

Locate and edit the kdc.conf /etc/krb5kdc/kdc.conf. 


[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
  TEST.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

Create the Kerberos database

This should pick your REALM for the krb5.conf and kdc.conf you will be prompted for a master password keep it preciously it will be useful for the Ambari Kerberos wizard

# /usr/sbin/kdb5_util create -s

output

Loading random data

Initializing database '/var/kerberos/krb5kdc/principal' for realm 'TEST.COM',

master key name 'K/M@TEST.COM'

You will be prompted for the database Master Password.

It is important that you NOT FORGET this password.

Enter KDC database master key:

Re-enter KDC database master key to verify:

Locate and edit the kadm5.acl

Assign Administrator Privilege by editing the kadm5.acl in /var/kerberos/krb5kdc/kadm5.acl replace the EXAMPLE.COM with your realm

*/admin@TEST.COM *

Restart the KDC and kadmin

Set the 2 daemons to auto start at boot else your cluster won't start

# /etc/rc.d/init.d/krb5kdc start 
Starting Kerberos 5 KDC: [ OK ] 
# /etc/rc.d/init.d/kadmin start 
Starting Kerberos 5 Admin Server:

Create a Kerberos Admin

Use the same master password 

# kadmin.local -q "addprinc admin/admin"

Output

Authenticating as principal root/admin@TEST.COM with password.

WARNING: no policy specified for admin/admin@TEST.COM; defaulting to no policy

Enter password for principal "admin/admin@TEST.COM":

Re-enter password for principal "admin/admin@TEST.COM":

Principal "admin/admin@TEST.COM" created.

Check if the root principal was created

Go to Ambari and enable Kerberos

See attached Kerberos setup for HDP 3.1 they are quite similar save for the new UI


Preview file
354 KB
Preview file
428 KB
3,330 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎01-29-2019 12:53 AM

Part 3 of the previous kerberization document

Preview file
243 KB
3,330 Views
0 Kudos

avatar
author-rank tburke
Explorer

Created ‎01-29-2019 01:50 AM

Thanks Again! I do believe I found my issue. the repos where not complete and accurate on my ubuntu 18.04 builds , so I just copied repos from my xenial 16.04 box and replaced xenial with ubuntu then was able to install lafter update the kerberos client.

here was my final repo for ubuntu 18.04 

	deb http://us.archive.ubuntu.com/ubuntu/ bionic main restricted
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main restricted
deb http://us.archive.ubuntu.com/ubuntu/ bionic universe
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates universe
deb http://us.archive.ubuntu.com/ubuntu/ bionic multiverse
deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates multiverse
deb http://us.archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse
deb http://security.ubuntu.com/ubuntu bionic-security main restricted
deb http://security.ubuntu.com/ubuntu bionic-security universe
deb http://security.ubuntu.com/ubuntu bionic-security multiverse
3,331 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements