The following gives a very high level description of the KDC installation process. To get more information see specific Operating Systems documentation, such as RHEL documentation, CentOS documentation, or SLES documentation.
![[Note]](../common/images/admon/note.png) | Note |
|---|---|
Because Kerberos is a time-sensitive protocol, all hosts in the realm must be time-synchronized, for example, by using the Network Time Protocol (NTP). If the local system time of a client differs from that of the KDC by as little as 5 minutes (the default), the client will not be able to authenticate. |
Install the KDC Server
Install a new version of the KDC server:
RHEL/CentOS/Oracle Linux 6
yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstationSLES 11
zypper install krb5 krb5-server krb5-clientUbuntu 12
apt-get install krb5 krb5-server krb5-clientUsing a text editor, open the KDC server configuration file, located by default here:
/etc/krb5.confChange the [realms] section of this file by replacing the default “kerberos.example.com” setting for the kdc and admin_server properties with the Fully Qualified Domain Name of the KDC server host. In the following example, “kerberos.example.com” has been replaced with “my.kdc.server”.
[realms] EXAMPLE.COM = { kdc = my.kdc.server admin_server = my.kdc.server }
Some components such as HUE require renewable tickets. To configure MIT KDC to support them, ensure the following settings are specified in the
libdefaultssection of the/etc/krb5.conffile.renew_lifetime = 7d
Create the Kerberos Database
Use the utility kdb5_util to create the Kerberos database.
RHEL/CentOS/Oracle Linux 6
kdb5_util create -sSLES 11
kdb5_util create -sUbuntu 12
kdb5_util create -s
Start the KDC
Start the KDC server and the KDC admin server.
RHEL/CentOS/Oracle Linux 6
/etc/rc.d/init.d/krb5kdc start /etc/rc.d/init.d/kadmin startSLES 11
rckrb5kdc start rckadmind startUbuntu 12
rckrb5kdc start rckadmind start![[Important]](../common/images/admon/important.png)
Important When installing and managing your own MIT KDC, it is very important to set up the KDC server to auto-start on boot. For example:
RHEL/CentOS/Oracle Linux 6
chkconfig krb5kdc on chkconfig kadmin onSLES 11
chkconfig rckrb5kdc on chkconfig rckadmind onUbuntu 12
update-rc.d rckrb5kdc defaults update-rc.d rckadmind defaults
Create a Kerberos Admin
Kerberos principals can be created either on the KDC machine itself or through the
network, using an “admin” principal. The following instructions assume you are using the
KDC machine and using the kadmin.local command line administration
utility. Using kadmin.local on the KDC machine allows you to create
principals without needing to create a separate "admin" principal before you
start.
| Note |
|---|---|
You will need to provide these admin account credentials to Ambari when enabling Kerberos. This allows Ambari to connect to the KDC, create the cluster principals and generate the keytabs. |
Create a KDC admin.
RHEL/CentOS/Oracle Linux 6
kadmin.local -q "addprinc admin/admin"SLES 11
kadmin.local -q "addprinc admin/admin"Ubuntu 12
kadmin.local -q "addprinc admin/admin"Confirm that this admin principal has permissions in the KDC ACL.
For example, on RHEL/CentOS, check the /var/kerberos/krb5kdc/kadm5.acl file has an entry like so to allow the */admin principal to administer the KDC for your specific realm. In this case, for the EXAMPLE.COM realm: */admin@EXAMPLE.COM *. When using a realm that is different than EXAMPLE.COM, ensure there is an entry for the realm you are using. If not present, principal creation will fail. After editing the kadm5.acl, you must restart the kadmind process.
