(Optional) Install a new MIT KDC
The following gives a very high level description of the KDC installation process.
Note | |
---|---|
Because Kerberos is a time-sensitive protocol, all hosts in the realm must be time-synchronized, for example, by using the Network Time Protocol (NTP). If the local system time of a client differs from that of the KDC by as little as 5 minutes (the default), the client will not be able to authenticate. |
Install the KDC Server
- Install a new version of the KDC server:
RHEL/CentOS/Oracle Linux
yum install krb5-server krb5-libs krb5-workstation
SLES
zypper install krb5 krb5-server krb5-client
Ubuntu/Debian
apt-get install krb5-kdc krb5-admin-server
- Using a text editor, open the KDC server configuration file,
located by default here:
vi /etc/krb5.conf
- Change the [realms] section of this file by replacing the default
“kerberos.example.com” setting for the kdc and admin_server properties with the Fully
Qualified Domain Name of the KDC server host. In the following example,
“kerberos.example.com” has been replaced with
“my.kdc.server”.
[realms] EXAMPLE.COM = { kdc = my.kdc.server admin_server = my.kdc.server }
- Some components such as HUE require renewable tickets. To configure
MIT KDC to support them, ensure the following settings are specified in the
libdefaults
section of the/etc/krb5.conf
file.renew_lifetime = 7d
Note | |
---|---|
For Ubuntu/Debian, the setup of the default realm for the KDC and KDC Admin hostnames is performed during the KDC server install. You can re-run setup using dpkg-reconfigure krb5-kdc. Therefore, Steps 2 and 3 above are not needed for Ubuntu/Debian. |
Create the Kerberos Database
-
Use the utility kdb5_util to create the Kerberos database.
RHEL/CentOS/Oracle Linux
kdb5_util create -s
SLES
kdb5_util create -s
Ubuntu/Debian
krb5_newrealm
Start the KDC
-
Start the KDC server and the KDC admin server.
RHEL/CentOS/Oracle Linux 6
/etc/rc.d/init.d/krb5kdc start
/etc/rc.d/init.d/kadmin start
RHEL/CentOS/Oracle Linux 7
systemctl start krb5kdc
systemctl start kadmin
SLES
rckrb5kdc start
rckadmind start
Ubuntu/Debian
service krb5-kdc restart
service krb5-admin-server restart
ImportantWhen installing and managing your own MIT KDC, it is very important to set up the KDC server to auto-start on boot . For example:
RHEL/CentOS/Oracle Linux 6
chkconfig krb5kdc on
chkconfig kadmin on
RHEL/CentOS/Oracle Linux 7
systemctl enable krb5kdc
systemctl enable kadmin
SLES
chkconfig rckrb5kdc on
chkconfig rckadmind on
Create a Kerberos Admin
Kerberos principals can be created either on the KDC machine itself or through the
network, using an “admin” principal. The following instructions assume you are using the KDC
machine and using the kadmin.local
command line administration utility.
Using kadmin.local
on the KDC machine allows you to create principals
without needing to create a separate "admin" principal before you start.
Note | |
---|---|
You will need to provide these admin account credentials to Ambari when enabling Kerberos. This allows Ambari to connect to the KDC, create the cluster principals and generate the keytabs. |
- Create a KDC admin by creating an admin principal.
kadmin.local -q "addprinc admin/admin"
- Confirm that this admin principal has permissions in the KDC ACL.
Using a text editor, open the KDC ACL file:
RHEL/CentOS/Oracle Linux
vi /var/kerberos/krb5kdc/kadm5.acl
SLES
vi /var/lib/kerberos/krb5kdc/kadm5.acl
Ubuntu/Debian
vi /etc/krb5kdc/kadm5.acl
- Ensure that the KDC ACL file includes an entry so to allow the
admin principal to administer the KDC for your specific realm. When using a realm that
is different than EXAMPLE.COM, be sure
there is an entry for the realm you are using. If not present, principal creation
will fail. For example, for an admin/admin@HADOOP.COM principal, you should have an
entry:
*/admin@HADOOP.COM *
- After editing and saving the kadm5.acl file, you must restart the
kadmin process.
RHEL/CentOS/Oracle Linux 6
/etc/rc.d/init.d/kadmin restart
RHEL/CentOS/Oracle Linux 7
systemctl restart kadmin
SLES
rckadmind restart
Ubuntu/Debian
service krb5-admin-server restart