@tsharma You have a couple of things wrong in your Kerberos setup. I noticed in your cluster the REALM is MIT.EDU, it should be different and NOT as you stated MIT.EDU (Michigan Institue of Technology) creators of Kerberos.Your kadm5.acl is wrong ! Your REALM is not ATHENA.MIT.EDU, that an example given with the MIT documentation. How did the container "KnoxUsers" and "knxadmin" user get created in AD? Below is the procedure on a Centos/RHEL but the commands are similar on all UNIX/LINUX OS'es Assumptions: REALM is TEST.COM Install the KDC server. The below command will deliver the nessary configuration files # yum install krb5-server Edit your /etc/krb5.conf replace all occurrences of TEST and test please match case(lower or upper) # cat /etc/krb5.conf The krb5.conf should look like this please notice the entries in lowercase for test.com and .test.com [libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = TEST.COM
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[domain_realm]
test.com = TEST.COM
.test.com = TEST.COM
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms] TEST.COM =
{ admin_server = {your_kdc_server}
kdc = {your_kdc_server} }
Modify the kdc.conf in /var/kerberos/krb5kdc/kdc.conf replace the TEST.COM with your REALM cat /var/kerberos/krb5kdc/kdc.conf The kdc.conf should look like this [kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms] TEST.COM =
{ #master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal Delete the existing KDC database (optional) # kdb5_util destroy -f TEST.COM (delete Kerberos existing TEST database) The below will prompt you for the password please note them and don't lose it. Create the KDC database is didn't already # kdb5_util create -s TEST.COM (create Kerberos database) When the above process terminates you will have created a database for the TEST.COM (realm) Start the kadmin & KDC # service krb5kdc start
# service kadmin start To autostart the KDC and Kadmin on system bootup execute the below step # chkconfig krb5kdc on
# chkconfig kadmin on The value for the kadm5.acl should match the output of the below command. On the KDC as root run # kdestroy (ONLY if you already created a previous REAL database) Create principal # kadmin.local -q "addprinc admin/admin"
Authenticating as principal root/admin@TEST with password.
WARNING: no policy specified for admin/admin@TEST;
defaulting to no policy Enter password for principal "admin/admin@TEST":
Re-enter password for principal "admin/admin@TEST":
Principal "admin/admin@TEST" created. Validate you can connect to the KDC with admin rights # kadmin.local
Authenticating as principal root/admin@TEST.COM with password. From the above your kadm5.acl in /var/kerberos/krb5kdc/kadm5.acl should be,notice the space between the.COM and * */admin@TEST.COM * Validate that get a valid kerberos ticket # kinit admin/admin@TEST
Password for admin/admin@TEST Check validity it should be 7 days according to your krb5.conf # klist
Ticket cache: FILE:/tmp/krb5cc_0 Default
principal: admin/admin@TEST
Valid starting Expires Service principal
10/13/2017 15:48:43 10/14/2017 15:48:43 krbtgt/TEST.COM@TEST.COM Now you can trigger the Ambari -Kerberos wizard and walk through the steps, the input values you need are Admin principal and Admin principal password The keytabs should now be generated successfully, in your case single node check on the VM in /etc/security/keytabs Please let me know if that helped
... View more
