Cloudera Docs

Using the FreeIPA IP address in the Krb5.conf file

Follow these steps to obtain a Kerberos token from the FreeIPA node, using the FreeIPA IP address in the krb5.conf file.

Verify that inbound port 88 (both TCP and UDP) is open in the FreeIPA security group, firewall, and NSG for the edge node IP Address or the CIDR range.
  1. Install the unbound package. SSH into the external edge node as the root user and install the unbound package. 
    yum install unbound -y
  2. Use the klist/kinit command to verify that the krb client package is installed. 
    [root@node1 ~]# klist
-bash: klist: command not found
    If the package is not available or installed, you can install it with the OS-specific installation command. For a Red Hat-based installation, use the following command:
    # yum install krb5-workstation* -y
  3. Verify the package installation. 
    [root@node1 ~]# klist
klist: Credentials cache keyring 'persistent:0:0' not found
  4. Verify that inbound port 88 (both TCP and UDP) is open in the FreeIPA security group, firewall, and NSG for the edge node IP Address or the CIDR range.
  5. Update the [realms] section of the /etc/krb5.conf file with the FreeIPA IP address of the target environment (direct IP address of IPA nodes).
    If there is more than one realm, follow the Kerberos instructions. Place the configuration under /etc/krb5.conf.d.
  6. Copy the [domain_realm] section from the krb5.conf file of one of the datalake nodes. Specify the default_realm according to the krb5.conf file of the datalake node. 
    # To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    spake_preauth_groups = edwards25519
    default_realm = TESTENV.DEMO.CLOUDERA.SITE
    default_ccache_name = /tmp/krb5cc_%{uid}

[realms]
 TESTENV.DEMO.CLOUDERA.SITE = {
     kdc = 54.92.214.85
     kdc = 34.206.173.3
     admin_server = 54.92.214.85
     admin_server = 34.206.173.3
 }

[domain_realm]
 .testenv.demo.cloudera.site = SUP-DEFA.LSKX-PVUE.A4.CLOUDERA.SITE
 testenv.demo.cloudera.site = SUP-DEFA.LSKX-PVUE.A4.CLOUDERA.SITE
  7. Try to obtain a Kerberos token for a CDP user. 
    # kinit <cdp-user>
Verify the token with the # klist command.