Install a new MIT KDC Kerberos

http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.1.0/bk_Ambari_Security_Guide/content/_optional_install_a_new_mit_kdc.html

 

Install a new MIT KDC

The following gives a very high level description of the KDC installation process. To get more information see specific Operating Systems documentation, such as RHEL documentation, CentOS documentation, or SLES documentation.

[Note] Note
Because Kerberos is a time-sensitive protocol, all hosts in the realm must be time-synchronized, for example, by using the Network Time Protocol (NTP). If the local system time of a client differs from that of the KDC by as little as 5 minutes (the default), the client will not be able to authenticate.

Install the KDC Server

  1. Install a new version of the KDC server:
    RHEL/CentOS/Oracle Linux
    yum install krb5-server krb5-libs krb5-workstation
    SLES
    zypper install krb5 krb5-server krb5-client
  2. Using a text editor, open the KDC server configuration file, located by default here:
    vi /etc/krb5.conf
  3. Change the [realms] section of this file by replacing the default “kerberos.example.com” setting for the kdc and admin_server properties with the Fully Qualified Domain Name of the KDC server host. In the following example, “kerberos.example.com” has been replaced with “my.kdc.server”.
    [realms]
     EXAMPLE.COM = {
       kdc = my.kdc.server
       admin_server = my.kdc.server
    }
  4. Some components such as HUE require renewable tickets. To configure MIT KDC to support them, ensure the following settings are specified in thelibdefaults section of the /etc/krb5.conf file.renew_lifetime = 7d

Create the Kerberos Database

  • Use the utility kdb5_util to create the Kerberos database.
    RHEL/CentOS/Oracle Linux
    kdb5_util create -s
    SLES
    kdb5_util create -s

Start the KDC

  • Start the KDC server and the KDC admin server.
    RHEL/CentOS/Oracle Linux 6
    /etc/rc.d/init.d/krb5kdc start
    /etc/rc.d/init.d/kadmin start
    RHEL/CentOS/Oracle Linux 7
    systemctl start krb5kdc
    systemctl start kadmin
    SLES 11
    rckrb5kdc start
    rckadmind start
    
    [Important] Important
    When installing and managing your own MIT KDC, it is very important to set up the KDC server to auto-start on boot. For example:

    RHEL/CentOS/Oracle Linux 6

    chkconfig krb5kdc on

    chkconfig kadmin on

    RHEL/CentOS/Oracle Linux 7

    systemctl enable krb5kdc

    systemctl enable kadmin

    SLES 11

    chkconfig rckrb5kdc on

    chkconfig rckadmind on

Create a Kerberos Admin

Kerberos principals can be created either on the KDC machine itself or through the network, using an “admin” principal. The following instructions assume you are using the KDC machine and using the kadmin.local command line administration utility. Using kadmin.local on the KDC machine allows you to create principals without needing to create a separate “admin” principal before you start.

[Note] Note
You will need to provide these admin account credentials to Ambari when enabling Kerberos. This allows Ambari to connect to the KDC, create the cluster principals and generate the keytabs.
  1. Create a KDC admin by creating an admin principal.
    kadmin.local -q "addprinc admin/admin"
  2. Confirm that this admin principal has permissions in the KDC ACL. Using a text editor, open the KDC ACL file:
    RHEL/CentOS/Oracle Linux
    vi /var/kerberos/krb5kdc/kadm5.acl
    SLES
    vi /var/lib/kerberos/krb5kdc/kadm5.acl
  3. Ensure that the KDC ACL file includes an entry so to allow the admin principal to administer the KDC for your specific realm. When using a realm that is different than EXAMPLE.COM, be sure there is an entry for the realm you are using. If not present, principal creation will fail. For example, for an admin/admin@HADOOP.COM principal, you should have an entry:*/admin@HADOOP.COM *
  4. After editing and saving the kadm5.acl file, you must restart the kadmin process.
    RHEL/CentOS/Oracle Linux 6
    /etc/rc.d/init.d/kadmin restart
    RHEL/CentOS/Oracle Linux 7
    systemctl restart kadmin
    SLES 11
    rckadmind restart

 

Install the JCE

  1. On the Ambari Server, obtain the JCE policy file appropriate for the JDK version in your cluster.
  2. Save the policy file archive in a temporary location.
  3. On Ambari Server and on each host in the cluster, add the unlimited security policy JCE jars to $JAVA_HOME/jre/lib/security/.For example, run the following to extract the policy jars into the JDK installed on your host:
    unzip -o -j -q UnlimitedJCEPolicyJDK7.zip -d /usr/jdk64/jdk1.7.0_67/jre/lib/security/
  4. Restart Ambari Server.
  5. Proceed to Running the Security Wizard.
wget http://dl.huangshiyang.com/UnlimitedJCEPolicyJDK7.zip
unzip -o -j -q UnlimitedJCEPolicyJDK7.zip -d /usr/jdk64/jdk1.7.0_67/jre/lib/security/


1 
 2
3


4
5

1 thought on “Install a new MIT KDC Kerberos

  1. I see, that your page needs unique and fresh articles.
    I know it is hard to write articles manually everyday,
    but there is solution for this. Just search in google for;
    servitu’s tricks

Leave a Reply

Your email address will not be published. Required fields are marked *