Kerberos Installation and Configuration - 7challa/cloudera-kerberize-encrypt GitHub Wiki

Kerberos Installation and Configuration

On the host designated as KDC run

yum install -y krb5-server

If you want to integrate with OpenLDAP, install openldap-clients on KDC host.

yum install -y openldap-clients

Edit /etc/krb5.conf file to update the REALM, kdc host and DOMAIN_REALM. Update encryption types in the krb5.conf under libdefaults section

default_tgs_enctypes = aes256-cts-hmac-sha1-96 des-cbc-md5 
default_tkt_enctypes = aes256-cts-hmac-sha1-96 des-cbc-md5 

Update /var/kerberos/krb5kdc/kadm5.acl [Include principal that has admin privileges]

Update /var/kerberos/krb5kdc/kdc.conf [REALM, ticket renewal life]

Create krb5 database: "kdb5_util create -s" [Remember the password]

On every node that is part of the hadoop cluster, install krb5-workstation

yum install krb5-workstation

Initializing Kerberos

sudo kdb5_util create

[root@localhost krb5kdc]# kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'HADOOPSECURITY.COM',
master key name 'K/[email protected]'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 
kdb5_util: File exists while creating database '/var/kerberos/krb5kdc/principal'

NOTE: For demo purposes password is set to admin. 

sudo service krb5kdc start
sudo service kadmin start

Set krb5kdc and kadmin to auto start a desired runlevels

chkconfig --level 2345 krb5kdc on
chkconfig --level 2345 kadmin on

Sample krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = HADOOPSECURITY.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 default_tgs_enctypes = aes256-cts-hmac-sha1-96 des-cbc-md5
 default_tkt_enctypes = aes256-cts-hmac-sha1-96 des-cbc-md5
 #Prefer TCP over UDP
 udp_preference_limit = 1
 #Maximum time to wait for a reply from the kdc
 kdc_timeout = 3000


[realms]
 HADOOPSECURITY.COM = {
  kdc = secure.hadoop.example.com
  admin_server = secure.hadoop.example.com
 }

[domain_realm]
 .example.com = HADOOPSECURITY.COM
 example.com = HADOOPSECURITY.COM

Sample kdc.conf

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 HADOOPSECURITY.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  max_renewable_life = 7h
  max_life = 1h
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
  default_principal_flags = +renewable, +forwardable
 }

Sample kadm5.acl

*/[email protected]	*