Kerberos Server and Client Installation & Configuration

Kerberos is a network authentication protocol used to allow services to provide their identity over a non-secure network. Kerberos implementations include MIT Kerberos 5 and also an implementation within Active Directory. This document is based off of the Red Hat documentation https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/installing-kerberos.html.

Installation

The commands below will install the Kerberos server and client for a RedHat installation based upon the yum package manager.

1. Execute following command to Kerberos Server.

   yum install krb5-server krb5-workstation krb5-libs krb5-auth-dialog krb5-pkinit-openssl

   (Note : krb5-auth-dialog is no longer supported in RHEL7 according to https://access.redhat.com/discussions/1471433)
2. Execute following command to install Kerberos Client.
   

   sudo yum install -y krb5-workstation krb5-libs krb5-auth-dialog krb5-pkinit-openssl
   

Master KDC Server Configuration

The files /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf need to be edited to configure the Kerberos Key Distribution Center (KDC). Replace EXAMPLE.COM and example.com with the appropriate realm and domain name. Realm names are uppercase and domain names are lowercase. The kdc and admin_server should have the hostname of the server running the services.

The sample krb5.conf file belows shows the use of the realm INFOGIX.COM and domain name of infogix.com.

• Modification of /etc/krb5.conf :

The /etc/krb5.conf can be modified by replacing EXAMPLE and example with the correct realm and domain name respectively.

[libdefaults]
 renew_lifetime = 7d
 forwardable = true
 default_realm = INFOGIX.COM
 ticket_lifetime = 24h
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_ccache_name = /tmp/krb5cc_%{uid}
 #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
 #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

[logging]
 default = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 kdc = FILE:/var/log/krb5kdc.log

[realms]
 INFOGIX.COM = {
 admin_server = perfln3.infogix.com
 kdc = perfln3.infogix.com
 }

[domain_realm]
 
 .infogix.com = INFOGIX.COM
 
 infogix.com = INFOGIX.COM

• Modification of /var/kerberos/krb5kdc/kdc.conf:

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 INFOGIX.COM = {
 #master_key_type = aes256-cts
 acl_file = /var/kerberos/krb5kdc/kadm5.acl
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
 supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

• Create the Kerberos Database

  sudo /usr/sbin/kdb5_util create -s

• Modify /var/kerberos/krb5kdc/kadm5.acl

  */admin@INFOGIX.COM *

• Create the admin principal using kadmin.local

  sudo kadmin.local -q "addprinc admin/admin"

• Enable and start the Kerberos KDC and Kadmin server

  sudo systemctl enable krb5kdc kadmin
  
  sudo systemctl start krb5kdc kadmin

• Verify Connectivity with kadmin

  sudo kadmin -p admin/admin

Kerberos Clients Configuration:

1. Copy /etc/krb5.conf to the client under /etc/
2. Verify the connectivity by using kadmin

   sudo kadmin -p "admin/admin"

Create User Principal for DQ+ Application and generate keytab:

1. sudo kadmin.local
2. add_principal -randkey sagacity@INFOGIX.COM
3. ktadd -k /home/sagacity/sagacity.keytab sagacity
4. List all principal by executing “list_principals” newly added principal will show up.

Verification:

1. To verify if the new added user principal able to read the HDFS.
2. hdfs dfs –ls /

The above command should show the Hadoop file System.