Saturday, June 7, 2014

Installing the MIT Kerberos 5 KDC

This article provides hands on experience on installing Kerberos 5 KDC on KDC host for Hadoop Cluster.
It mainly follows <Pivotal HD Enterprise 2.0.1: Stack and Tools Reference>.

0.Planning:

  • "admin.xxx.com" is KDC hostname.
  • "OPENKBINFO.com" is REALM.
  • Other host names are put into file ~/hostfile_all.
  • Using "AES-256" as the encryption strength.

1. Install Kerberos packages krb5-libs, krb5-workstation, and krb5-server on the KDC host.

yum install krb5-libs krb5-workstation krb5-server
Then verify the RPMs:
[root@admin ~]# rpm -qa|grep krb5
krb5-libs-1.10.3-15.el6_5.1.x86_64
krb5-server-1.10.3-15.el6_5.1.x86_64
pam_krb5-2.3.11-9.el6.x86_64
krb5-workstation-1.10.3-15.el6_5.1.x86_64

2. Install JCE on all Cluster Hosts

Important: This step is only if you are using AES-256.
Note: These files will already exist in your environment and look the same, but are the limited strength encryption files;
you must replace them with the unlimited strength files to use AES-256.

2.1 Download and unzip the JCE file for your JDK version (Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 for JDK 7).

unzip UnlimitedJCEPolicyJDK7.zip
cd UnlimitedJCEPolicy

2.2 Place the local_policy.jar and US_export_policy.jar files in the /usr/java/default/jre/lib/security/ directory on all cluster hosts.

cp local_policy.jar /usr/java/default/jre/lib/security/local_policy.jar
cp US_export_policy.jar /usr/java/default/jre/lib/security/US_export_policy.jar

massh ~/hostfile_all push /usr/java/default/jre/lib/security/local_policy.jar
massh ~/hostfile_all push /usr/java/default/jre/lib/security/US_export_policy.jar

massh ~/hostfile_all verbose "cp ~/local_policy.jar /usr/java/default/jre/lib/security/local_policy.jar"
massh ~/hostfile_all verbose "cp ~/US_export_policy.jar /usr/java/default/jre/lib/security/US_export_policy.jar"

massh ~/hostfile_all verbose "ls -altr /usr/java/default/jre/lib/security/local_policy.jar"
massh ~/hostfile_all verbose "ls -altr /usr/java/default/jre/lib/security/US_export_policy.jar"

2.3 Install JSVC 

JSVC allows a Java process to start as root and then switch to a less privileged user, and is required for the datanode process to start in secure mode.
if "rpm -qa|grep jsvc" does not exist, then:
yum install jsvc

2.4 Verify JSVC

/usr/libexec/bigtop-utils/jsvc -help
Look under the printed -jvm item in the output and you should see something like:
use a specific Java Virtual Machine. Available JVMs:
'server'
If you do not see the server line, this jsvc will not work for your platform, so try the following actions:
a. Install JSVC using yum and run the check again; if it fails try the next step.
b. Build from source and install manually.
If you have datanode start-up problems and no other errors are obvious, it might be a JSVC problem and you
may need to perform step 2, above, another time. JSVC is very picky about platform and JDK matching, so
use the Building and Installing JSVC instructions for your system OS and JDK.

3. Define your REALM in /etc/krb5.conf

I am using OPENKBINFO.COM as REALM in this example.
Set the kdc and admin_server variables to the resolvable hostname of the KDC host.
Set the default_domain to your REALM. 
[root@admin ~]# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = OPENKBINFO.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 OPENKBINFO.COM = {
  kdc = admin.xxx.com:88
  admin_server = admin.xxx.com:749
  default_domian = OPENKBINFO.COM
 }

[domain_realm]
 .openkbinfo.com = OPENKBINFO.COM
 openkbinfo.com = OPENKBINFO.COM

4. Set up /var/kerberos/krb5kdc/kdc.conf

If you want to use AES-256, uncomment the master_key_type line;
If you do not want to use AES-256, remove it from the supported_enctypes line.
Add a key_stash_file entry: /var/kerberos/krb5kdc/.k5.REALM
Set the maximum ticket lifetime and renew lifetime to your desired values.
(24 hours and 7 days are typical)
Add the kadmind_port entry: kadmind_port = 749
Important: The stash file lets the KDC server start up for root without a password being entered.

Here I do want to use AES-256 which is the default encryption strength in CentOS and RedHat.
[root@admin ~]# cat /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 OPENKBINFO.COM = {
  master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  key_stash_file = /var/kerberos/krb5kdc/.k5.OPENKBINFO.COM
  max_life = 24h 0m 0s
  max_renewable_life = 7d 0h 0m 0s
  kadmind_port = 749
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }

5. Create the KDC master password

[root@admin ~]# kdb5_util create -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'OPENKBINFO.COM',
master key name 'K/M@OPENKBINFO.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
DO NOT forget your password as this is the root KDC password.
This typically runs quickly but may take 5-10 minutes if the code has trouble getting the random bytes it needs.

6. Add an administrator account as username/admin@REALM.

Run the kadmin.local application from the command line
kadmin.local: addprinc username/admin@REALM
Type quit to exit kadmin.local
Important: The KDC does not need to be running to add a principal.

For example, I want to use "mysuperman/admin" as the admin principal here.
[root@admin ~]# kadmin.local
Authenticating as principal root/admin@OPENKBINFO.COM with password.
kadmin.local:  addprinc mysuperman/admin@OPENKBINFO.COM
WARNING: no policy specified for mysuperman/admin@OPENKBINFO.COM; defaulting to no policy
Enter password for principal "mysuperman/admin@OPENKBINFO.COM":
Re-enter password for principal "mysuperman/admin@OPENKBINFO.COM":
Principal "mysuperman/admin@OPENKBINFO.COM" created.

7. Start the KDC.

/etc/init.d/krb5kdc start

8. Edit /var/kerberos/krb5kdc/kadm5.acl and change the admin permissions username from * to your admin.

[root@admin]# cat /var/kerberos/krb5kdc/kadm5.acl
root/admin@OPENKBINFO.COM *
mysuperman/admin@OPENKBINFO.COM       *

9.  Use kadmin.local on the KDC to enable the administrator(s) remote access.

kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab mysuperman/admin
For example:
[root@admin ~]# kadmin.local
Authenticating as principal root/admin@OPENKBINFO.COM with password.
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab mysuperman/admin
Entry for principal mysuperman/admin with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal mysuperman/admin with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal mysuperman/admin with kvno 2, encryption type des3-cbc-sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal mysuperman/admin with kvno 2, encryption type arcfour-hmac added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal mysuperman/admin with kvno 2, encryption type des-hmac-sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal mysuperman/admin with kvno 2, encryption type des-cbc-md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Here I am using principal "mysuperman/admin" as the remote administrator, and put it in keytab file  /var/kerberos/krb5kdc/kadm5.keytab.
This keytab file needs to be copied to remote host where you want to use this administrator.
For example, let's copy this keytab file to host named "hdm" for future testing.
scp /var/kerberos/krb5kdc/kadm5.keytab hdm:~
Important: kadmin.local is a KDC host only version of kadmin that can do things remote kadmin cannot (such as use the -norandkey option in ktadd).

10. Start kadmind

/etc/init.d/kadmin start
The KDC should now be done and ready to use, but you need to set up your clients first.

11. Install krb5-libs and krb5-workstation on all cluster hosts, including any client/gateway hosts.

yum install krb5-libs krb5-workstation

12. Push your KDC /etc/krb5.conf to all workstation hosts.

massh ~/hostfile_all push /etc/krb5.conf
massh ~/hostfile_all verbose "cp ~/krb5.conf /etc/krb5.conf"
massh ~/hostfile_all verbose "ls -altr /etc/krb5.conf"

13. Do a simple test on host "hdm".

13.1 Login as the admin you created.

[root@hdm ~]# kinit mysuperman/admin -k -t kadm5.keytab  -V
Using default cache: /tmp/krb5cc_0
Using principal: mysuperman/admin@OPENKBINFO.COM
Using keytab: kadm5.keytab
Authenticated to Kerberos v5

13.2 Run kadmin and make sure you can login without password.

[root@hdm ~]# kadmin -k -t kadm5.keytab -p mysuperman/admin
Authenticating as principal mysuperman/admin with keytab kadm5.keytab.
kadmin:

Above example is to use keytab file as principal "mysuperman/admin" without password.
Below example is to login as principal "root/admin" by inputting password.
[root@hdm ~]# kinit root/admin
Password for root/admin@OPENKBINFO.COM:
[root@hdm ~]# kadmin
Authenticating as principal root/admin@OPENKBINFO.COM with password.
Password for root/admin@OPENKBINFO.COM:

If you meet any errors here, please refer to Common Kerberos Error Messages.
Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts