Security Reference
Also available as:
PDF
loading table of contents...

Create the Database and Set Up the First Administrator

How to create a database and configure the admin when setting up Kerberos for non-Ambari clusters..

  1. Use the utility kdb5_util to create the Kerberos database:
    OSRun
    RHEL, CentOS, or Oracle Linux /usr/sbin/kdb5_util create -s
    SLES kdb5_util create -s
    Ubuntu or Debian kdb5_util -s create
    Note
    Note

    The -s option stores the master server key for the database in a stash file. If the stash file is not present, you must log into the KDC with the master password (specified during installation) each time it starts. This will automatically regenerate the master server key.

  2. Set up the KDC Access Control List (ACL):
    OSAction
    RHEL, CentOS, or Oracle Linux Add administrators to /var/kerberos/ krb5kdc/kadm5.acl
    SLES Add administrators to /var/lib/kerberos/krb5kdc/kadm5.acl.
    Note
    Note

    For example, the following line grants full access to the database for users with the admin extension: */admin@EXAMPLE.COM *

  3. Start kadmin for the change to take effect.
  4. Create the first user principal. This must be done at a terminal window on the KDC machine itself, while you are logged in as root. Notice the .local. Normal kadmin usage requires that a principal with appropriate access already exist. The kadmin.local command can be used even if no principals exist:
    /usr/sbin/kadmin.local -q "addprinc $username/admin

    Now this user can create additional principals either on the KDC machine or through the network. The following instruction assumes that you are using the KDC machine.

  5. On the KDC, start Kerberos:
    OSRun
    RHEL, CentOS, or Oracle Linux
    /sbin/service krb5kdc start
    /sbin/service kadmin start
    SLES
    rckrb5kdc start
    rckadmind start
    Ubuntu or Debian
    /etc/init.d/krb5-kdc start
    /etc/init.d/kadmin start