1.2. Install and Configure the KDC

To use Kerberos with HDP you can either use an existing KDC or install a new one for HDP's use.

The following instructions provide a very high level overview of the installation process. For more information, see RHEL documentation or CentOS documentation or SLES documentation.

[Note]Note

Because Kerberos is a time-sensitive protocol, all hosts in the realm must be time-synchronized, for example, by using the Network Time Protocol (NTP). If the local system time of a client differs from that of the KDC by as little as 5 minutes (the default), the client will not be able to authenticate.

  1. Execute the following commands to install a new version of the server:

    [On RHEL or CentOS]
    yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation 

    OR

    [On SLES]
    zypper install krb5 krb5-server krb5-client
    [Note]Note

    The host machine where you install the KDC must itself be secure.

  2. Specify realm.

    Edit the following two configuration files, located (by default) here:

    [On RHEL or CentOS]

    • /etc/krb5.conf

    • /var/kerberos/krb5kdc/kdc.conf.

    OR

    [On SLES]

    • /etc/krb5.conf

    • /var/lib/kerberos/krb5kdc/kdc.conf

    Change all instances of EXAMPLE.COM and example.com to case-matched version of the domain name for the realm.

    Change the KDC value from kerberos.example.com to the fully qualified name (FQDN) of the Kerberos server host.

    Change the [realms] section of this file by replacing the default “kerberos.example.com” setting for the kdc and admin_server properties with the Fully Qualified Domain Name of the KDC server. In this example below, kerberos.example.com has been replaced with my.kdc.server.

    [realms]
     EXAMPLE.COM = {
      kdc = my.kdc.server
      admin_server = my.kdc.server
    }
  3. Ensure that /etc/krb5.conf file has the following defaults:

    [libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true

    Ensure that you change all instances of EXAMPLE.COM to case-matched version of the domain name for your realm.

  4. Copy this updated /etc/krb5.conf file to all the nodes in your cluster.


loading table of contents...