Thursday, 12 April 2018

MIT Kerberos installation and configuration on CentOS6 Server

In this post I will discuss about the practical implementation of a MIT Kerberos.

Scenario:

I have two machines one acting as kerberos server and one acting as a client machine as below:

--------
192.168.56.51 ---> kerberos-server.hadoop.com
192.168.56.52 ---> kerberos-client.hadoop.com
--------

I've added the details of both machine in the /etc/hosts file as below for internal domain resolution:




Step 1:  Following steps to be done on kerberos-server.hadoop.com

Install following package in server:

------
yum -y install krb5-server krb5-libs krb5-workstation
------

Step 2:

Open and edit vi /etc/krb5.conf in server "kerberos-server.hadoop.com" and update the REALM name kdc server:

Sample krb5.conf as below:

The parameters that need to be edited are highlighted  below:
------
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = HADOOP.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 HADOOP.COM = {
  kdc = kerberos-server.hadoop.com
  admin_server = kerberos-server.hadoop.com
 }

[domain_realm]
 .hadoop.com = HADOOP.COM
 hadoop.com = HADOOP.COM
 ---------

Step 3: Create kerberos database using kdb5_util, the password to be provided is the db password of KDC
-------
kdb5_util create -s
------


Step 4:

Start services

service krb5kdc start
service kadmin start

Turn on the services

chkconfig krb5kdc on
chkconfig kadmin on



Step 5:

Create one admin principal using
------
kadmin.local -q "addprinc admin/admin"
------





Step 6: Open file  /var/kerberos/krb5kdc/kadm5.acl   and edit ACL as below:

Restart the service as below:

------
service kadmin restart
------



Step 7: 

Login to the kadmin shell using the principle admin/admin@HADOOP.COM.

listprincs will list all principles available, we can create a new principle using the command addprinc. The procedure the highlighted in below snapshot:


Step 8: Verification 

Now you will be able to kinit using the principle adbc@HADOOP.COM



Step 9: Configuration in the client side: ( kerberos-client.hadoop.com):

Install following package in client:

-----------
yum -y install  krb5-libs krb5-workstation
-----------

Step 10:  Copy and paste same krb5.conf file what was created in the master.


Sample krb5.conf as below:
------
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = HADOOP.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 HADOOP.COM = {
  kdc = kerberos-server.hadoop.com
  admin_server = kerberos-server.hadoop.com
 }

[domain_realm]
 .hadoop.com = HADOOP.COM
 hadoop.com = HADOOP.COM
 ---------


Step 11:  Verification from client machine:

Now you will be able to kinit using admin principle and abcd@HADOOP.COM from client machine as below:




Notes: 

1)  If  you face any errors related to java while creating admin principle ( Step 3) then install java packages as below:

yum -y install *jdk*

2)  Inorder to troubleshoot error while setting up KDC database and initilizing use the below tips:

--> export KRB5_TRACE=/dev/stdout

To disable above feature unset the variable using:

unset  KRB5_TRACE

Reference: 




No comments:

Post a comment

Note: only a member of this blog may post a comment.