Open in app

Sign in

Write

Sign in

Install Kerberos KDC Server

Syarif Hidayatullah
2 min readOct 28, 2020

This kerberos server is used for Hadoop cluster, so the configuration will use hadoop preferences.

This tutorial using Centos 7.x.

First, install the kerberos server, library, and workstation on kdc server.

yum -y install krb5-server krb5-libs krb5-workstation

After installation, edit configuration krb5.conf

vi nano /etc/krb5.conf

change the configuration based on your REALM. In this scenario I’m using HADOOP.COM as my REALM.

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
 default_realm = HADOOP.COM
 default_ccache_name = KEYRING:persistent:%{uid}[realms]
 HADOOP.COM = {
  kdc = kdc.hadoop.com
  admin_server = kdc.hadoop.com
 }[domain_realm]
 .HADOOP.com = HADOOP.COM
 HADOOP.com = HADOOP.COM

Second configuration you need to adjust is kdc.conf

vi /var/kerberos/krb5kdc/kdc.conf

change the EXAMPLE with your REALM and remove comment(#) from supported_enctypes. Please note the encryption algorithm that you use. the default is aes256-cts.

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88[realms]
 HADOOP.COM = {
  master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal$
 }

Last configuration is kadm5.acl.

nano /var/kerberos/krb5kdc/kadm5.acl

Just rename the EXAMPLE with your REALM.

*/admin@HADOOP.COM *

Now initiate kerberos db using command

kdb5_util create -s
insert KDC db master key

Then insert password for db.

Start the kerberos services:

service krb5kdc start
service kadmin start

Afte kerberos services are up, then you need to create the admin principle.

kadmin.local -q "addprinc admin/admin"

You’ll asked to insert password for the admin principle.

admin principle creation

Now let’s enter into kadmin shell.

kadmin -p admin/admin
kadmin shell

To list all the created principles, enter command in kadmin shell.

listprincs
listprincs

That’s all to create kerberos server using Centos 7.x.

If you’re using kerberos to authenticate your cloudera hadoop cluster, give the admin access to cloudera so you don’t need to manually create principle each services.

Kdc
Kdc Mit
Kerberos
Hadoop
Cloudera

--

--

Syarif Hidayatullah

Written by Syarif Hidayatullah

21 Followers

Data Enthusiast

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams