Kerberos Server and Client Installation & Configuration
Kerberos is a network authentication protocol used to allow services to provide their identity over a non-secure network. Kerberos implementations include MIT Kerberos 5 and also an implementation within Active Directory. This document is based off of the Red Hat documentation https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/installing-kerberos.html.
Installation
The commands below will install the Kerberos server and client for a RedHat installation based upon the yum package manager.
- Execute following command to Kerberos Server.
yum install krb5-server krb5-workstation krb5-libs krb5-auth-dialog krb5-pkinit-openssl
(Note : krb5-auth-dialog is no longer supported in RHEL7 according to https://access.redhat.com/discussions/1471433) - Execute following command to install Kerberos Client.
sudo yum install -y krb5-workstation krb5-libs krb5-auth-dialog krb5-pkinit-openssl
Master KDC Server Configuration
The files /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf need to be edited to configure the Kerberos Key Distribution Center (KDC). Replace EXAMPLE.COM and example.com with the appropriate realm and domain name. Realm names are uppercase and domain names are lowercase. The kdc and admin_server should have the hostname of the server running the services.
The sample krb5.conf file belows shows the use of the realm INFOGIX.COM and domain name of infogix.com.
- Modification of /etc/krb5.conf :
The /etc/krb5.conf can be modified by replacing EXAMPLE and example with the correct realm and domain name respectively.
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = INFOGIX.COM
ticket_lifetime = 24h
dns_lookup_realm = false
dns_lookup_kdc = false
default_ccache_name = /tmp/krb5cc_%{uid}
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
[logging]
default = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
kdc = FILE:/var/log/krb5kdc.log
[realms]
INFOGIX.COM = {
admin_server = perfln3.infogix.com
kdc = perfln3.infogix.com
}
[domain_realm]
.infogix.com = INFOGIX.COM
infogix.com = INFOGIX.COM
- Modification of /var/kerberos/krb5kdc/kdc.conf:
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
[realms]
INFOGIX.COM = {
#master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
}
- Create the Kerberos Database
sudo /usr/sbin/kdb5_util create -s
- Modify /var/kerberos/krb5kdc/kadm5.acl
*/admin@INFOGIX.COM *
- Create the admin principal using kadmin.local
sudo kadmin.local -q "addprinc admin/admin"
- Enable and start the Kerberos KDC and Kadmin server
sudo systemctl enable krb5kdc kadmin
sudo systemctl start krb5kdc kadmin - Verify Connectivity with kadmin
sudo kadmin -p admin/admin
Kerberos Clients Configuration:
- Copy /etc/krb5.conf to the client under /etc/
- Verify the connectivity by using kadmin
sudo kadmin -p "admin/admin"
Create User Principal for DQ+ Application and generate keytab:
- sudo kadmin.local
- add_principal -randkey sagacity@INFOGIX.COM
- ktadd -k /home/sagacity/sagacity.keytab sagacity
- List all principal by executing “list_principals” newly added principal will show up.
Verification:
- To verify if the new added user principal able to read the HDFS.
- hdfs dfs –ls /
The above command should show the Hadoop file System.
Comments
0 comments
Please sign in to leave a comment.