Install Kerberos KDC Server
This kerberos server is used for Hadoop cluster, so the configuration will use hadoop preferences.
This tutorial using Centos 7.x.
First, install the kerberos server, library, and workstation on kdc server.
yum -y install krb5-server krb5-libs krb5-workstation
After installation, edit configuration krb5.conf
vi nano /etc/krb5.conf
change the configuration based on your REALM. In this scenario I’m using HADOOP.COM as my REALM.
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = HADOOP.COM
default_ccache_name = KEYRING:persistent:%{uid}[realms]
HADOOP.COM = {
kdc = kdc.hadoop.com
admin_server = kdc.hadoop.com
}[domain_realm]
.HADOOP.com = HADOOP.COM
HADOOP.com = HADOOP.COM
Second configuration you need to adjust is kdc.conf
vi /var/kerberos/krb5kdc/kdc.conf
change the EXAMPLE with your REALM and remove comment(#) from supported_enctypes. Please note the encryption algorithm that you use. the default is aes256-cts.
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88[realms]
HADOOP.COM = {
master_key_type = aes256-cts
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal$
}
Last configuration is kadm5.acl.
nano /var/kerberos/krb5kdc/kadm5.acl
Just rename the EXAMPLE with your REALM.
*/admin@HADOOP.COM *
Now initiate kerberos db using command
kdb5_util create -s
Then insert password for db.
Start the kerberos services:
service krb5kdc start
service kadmin start
Afte kerberos services are up, then you need to create the admin principle.
kadmin.local -q "addprinc admin/admin"
You’ll asked to insert password for the admin principle.
Now let’s enter into kadmin shell.
kadmin -p admin/admin
To list all the created principles, enter command in kadmin shell.
listprincs
That’s all to create kerberos server using Centos 7.x.
If you’re using kerberos to authenticate your cloudera hadoop cluster, give the admin access to cloudera so you don’t need to manually create principle each services.