Setup kerberos on CentOS 7

kerberos.setup.md

install

yum -y install ntp

kdc server
yum -y install krb5-server krb5-libs

kerberos client
yum -y install krb5-workstation

/var/kerberos/krb5kdc/kdc.conf

default_realm = UYDC.COM

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

[realms]
 UYDC.COM = {
  #master_key_type = aes256-cts
  database_name = /var/kerberos/krb5kdc/principal
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  key_stash_file = /var/kerberos/krb5kdc/stash
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
  max_renewable_life = 7d 0h 0m 0s
  #default_principal_flags = +renewable, +forwardable
  default_principal_flags = +preauth, +renewable, +forwardable
 }
 

/etc/krb5.conf

includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = UYDC.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 # Importatnt !!!
 # use default_ccache_name = FILE:/tmp/krb5cc_%{uid} to
 # make beeline, hdfs, hbase shell can get kerberos ticket
 # otherwise beeline, hdfs, hbase .. shell will throw can not get kerberos ticket error
 #
 #default_ccache_name = KEYRING:persistent:%{uid}
 default_ccache_name = FILE:/tmp/krb5cc_%{uid}

 udp_preference_limit = 1000000
 # begin, following 3 lines is important, without these lines, sometime, kadmin auth will be incredibly slow.
 default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
 default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
 permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
 # end

[realms]
 UYDC.COM = {
  kdc = 10.200.70.52
  admin_server = 10.200.70.52
 }

[domain_realm]
 .uydc.com = UYDC.COM
 uydc.com = UYDC.COM
 

/var/kerberos/krb5kdc/kadm5.acl

*/admin@UYDC.COM        *

enable renewable

kdc.conf must be modified to support renewable before create principle database
- kdb5_util create -r realm -s 

kdc.conf
  max_renewable_life = 7d 0h 0m 0s
  default_principal_flags = +renewable, +forwardable

krb5.conf
 renew_lifetime = 7d

create principal database and add principal

kdb5_util create -r UYDC.COM -s 
-s make kadmin.locall without passowrd

kadmin.local
kadmin.local:  addprinc root/admin
kadmin.local:  addprinc user1
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
kadmin.local:  ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
kadmin.local:  exit

systemctl start krb5kdc
systemctl start kadmin

utility shell

#!/bin/bash

from=$1
to=$2
systemctl stop krb5kdc kadmin

perl -i -pE "s/$from/$to/g" /var/kerberos/krb5kdc/kdc.conf
perl -i -pE "s/$from/$to/g" /etc/krb5.conf
perl -i -pE "s/${from,,}/${to,,}/g" /etc/krb5.conf

rm -rf /var/kerberos/krb5kdc/principal*
kdb5_util create -r $to -s
sleep 1
kadmin.local

systemctl start krb5kdc kadmin

---

reference

https://gist.github.com/ashrithr/4767927948eca70845db