DocsHortonworks Data Platform

 

 1.2. Install and Configure the KDC

To use Kerberos with HDP you can either use an existing KDC or install a new one for HDP's use.

The following instructions provide a very high level overview of the installation process. For more information, see RHEL documentation or CentOS documentation or SLES documentation.

[Note]Note

Because Kerberos is a time-sensitive protocol, all hosts in the realm must be time-synchronized, for example, by using the Network Time Protocol (NTP). If the local system time of a client differs from that of the KDC by as little as 5 minutes (the default), the client will not be able to authenticate.

  1. Execute the following commands to install a new version of the server:

    [On RHEL or CentOS]
yum install krb5-server krb5-libs krb5-auth-dialog krb5-workstation

    OR

    [On SLES]
zypper install krb5 krb5-server krb5-client
    [Note]Note

    The host machine where you install the KDC must itself be secure.

  2. Specify realm.

    Edit the following two configuration files, located (by default) here:

    [On RHEL or CentOS]

    • /etc/krb5.conf

    • /var/kerberos/krb5kdc/kdc.conf.

    OR

    [On SLES]

    • /etc/krb5.conf

    • /var/lib/kerberos/krb5kdc/kdc.conf

    Change all instances of EXAMPLE.COM and example.com to case-matched version of the domain name for the realm.

    Change the KDC value from kerberos.example.com to the fully qualified name (FQDN) of the Kerberos server host.

    Change the [realms] section of this file by replacing the default “kerberos.example.com” setting for the kdc and admin_server properties with the Fully Qualified Domain Name of the KDC server. In this example below, kerberos.example.com has been replaced with my.kdc.server. 

    [realms]
 EXAMPLE.COM = {
  kdc = my.kdc.server
  admin_server = my.kdc.server
}

  3. Ensure that /etc/krb5.conf file has the following defaults: 

    [libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

    Ensure that you change all instances of EXAMPLE.COM to case-matched version of the domain name for your realm.

  4. Copy this updated /etc/krb5.conf file to all the nodes in your cluster.

Legal notices
loading table of contents...