In this post I will discuss about the practical implementation of a MIT Kerberos.
Scenario:
I have two machines one acting as kerberos server and one acting as a client machine as below:
--------
192.168.56.51 ---> kerberos-server.hadoop.com
192.168.56.52 ---> kerberos-client.hadoop.com
--------
I've added the details of both machine in the /etc/hosts file as below for internal domain resolution:
Step 1: Following steps to be done on kerberos-server.hadoop.com
Install following package in server:
------
yum -y install krb5-server krb5-libs krb5-workstation
------
Step 2:
Open and edit vi /etc/krb5.conf in server "kerberos-server.hadoop.com" and update the REALM name kdc server:
Sample krb5.conf as below:
The parameters that need to be edited are highlighted below:
------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HADOOP.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
HADOOP.COM = {
kdc = kerberos-server.hadoop.com
admin_server = kerberos-server.hadoop.com
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
---------
Step 3: Create kerberos database using kdb5_util, the password to be provided is the db password of KDC
-------
kdb5_util create -s
------
Step 4:
Start services
service krb5kdc start
service kadmin start
Turn on the services
chkconfig krb5kdc on
chkconfig kadmin on
Step 5:
Create one admin principal using
------
kadmin.local -q "addprinc admin/admin"
------
Step 6: Open file /var/kerberos/krb5kdc/kadm5.acl and edit ACL as below:
Restart the service as below:
------
service kadmin restart
------
Scenario:
I have two machines one acting as kerberos server and one acting as a client machine as below:
--------
192.168.56.51 ---> kerberos-server.hadoop.com
192.168.56.52 ---> kerberos-client.hadoop.com
--------
I've added the details of both machine in the /etc/hosts file as below for internal domain resolution:
Step 1: Following steps to be done on kerberos-server.hadoop.com
Install following package in server:
------
yum -y install krb5-server krb5-libs krb5-workstation
------
Step 2:
Open and edit vi /etc/krb5.conf in server "kerberos-server.hadoop.com" and update the REALM name kdc server:
Sample krb5.conf as below:
The parameters that need to be edited are highlighted below:
------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HADOOP.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
HADOOP.COM = {
kdc = kerberos-server.hadoop.com
admin_server = kerberos-server.hadoop.com
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
---------
Step 3: Create kerberos database using kdb5_util, the password to be provided is the db password of KDC
-------
kdb5_util create -s
------
Step 4:
Start services
service krb5kdc start
service kadmin start
Turn on the services
chkconfig krb5kdc on
chkconfig kadmin on
Step 5:
Create one admin principal using
------
kadmin.local -q "addprinc admin/admin"
------
Step 6: Open file /var/kerberos/krb5kdc/kadm5.acl and edit ACL as below:
Restart the service as below:
------
service kadmin restart
------
Step 7:
Login to the kadmin shell using the principle admin/admin@HADOOP.COM.
listprincs will list all principles available, we can create a new principle using the command addprinc. The procedure the highlighted in below snapshot:
Step 8: Verification
Now you will be able to kinit using the principle adbc@HADOOP.COM
Step 9: Configuration in the client side: ( kerberos-client.hadoop.com):
Install following package in client:
-----------
yum -y install krb5-libs krb5-workstation
-----------
Step 10: Copy and paste same krb5.conf file what was created in the master.
Sample krb5.conf as below:
------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HADOOP.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
HADOOP.COM = {
kdc = kerberos-server.hadoop.com
admin_server = kerberos-server.hadoop.com
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
---------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = HADOOP.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
HADOOP.COM = {
kdc = kerberos-server.hadoop.com
admin_server = kerberos-server.hadoop.com
}
[domain_realm]
.hadoop.com = HADOOP.COM
hadoop.com = HADOOP.COM
---------
Step 11: Verification from client machine:
Now you will be able to kinit using admin principle and abcd@HADOOP.COM from client machine as below:
Notes:
1) If you face any errors related to java while creating admin principle ( Step 3) then install java packages as below:
yum -y install *jdk*
2) Inorder to troubleshoot error while setting up KDC database and initilizing use the below tips:
--> export KRB5_TRACE=/dev/stdout
To disable above feature unset the variable using:
unset KRB5_TRACE
Reference:
No comments:
Post a Comment
Note: only a member of this blog may post a comment.