Setup and configure Active Directory server for Kerberos
In this tutorial we will see how to setup and configure Active Directory server for Kerberos authentication on HDP cluster.
Environment details used to setup and configure active directory server for kerberos.
Windows server – 2012 r2.
HDP Cluster – 2.6.X
Ambari – 2.5.X
Let’s get started! When you have nothing configured, this is how Server Manager would look like:
Step 1 – Configure hostname for your AD.
Let’s begin by configuring relevant hostname for your active directory server.
To change computer name, Open Server Manager –> Click on Local Server in the left pane –> Click on Computer name –> Write Computer description(Optional) –> Click on “Change” button –> Type in your new computer name –> Save the changes and restart your computer (Yeah! It’s frustrating to restart every time you change something in windows, that’s how it is )
Step 2 – Configure static IP:
Open Powershell and run “IPConfig /all” to get existing IP address, Gateway and DNS IP addresses. Note down the current configuration.
Open Control Panel –> Network and Internet –> Network and Sharing Center –> Click on Ethernet –> Click on Properties in Ethernet properties –> Goto Internet protocol version 4 –> Click on properties –> Click on Use following IP addresses and enter information noted in the previous step.
Please refer below screenshot.
Step 3 – Install DNS
Open Server Manager –> Click on “Add Roles and Features” –> Click Next –> Select “Role-based or feature-based installation” –> Select a server from server-pool (Your AD server’s hostname should get displayed) –> Select “DNS Server” –> Click on “Add Features” –> Click on Next button –> Click on Next button –> Click on Install –> Finally click on Close button once installation is complete.
Please refer series of screenshots for your reference below:
Step 4 – Configure domain controller
Please open Server Manager –> Click on Add Roles and Features under dashboard –> Click on Next –> Select “Role-based or feature-based installation” and Click on Next –> Keep the default selecion and click on Next –> Tick “Active Directory Domain Services” –> Click on “Add Features” –> Click on Next –> Keep the default selection for “Select one or more features to install” –> Click on Next button –> Next –> Click on install at “Confirm installation selections” page –> Once installation is done, you can close the window.
Please refer below screenshots if required:
Step 5 – Promote the server to a domain controller
Click on Flag icon showing yellow warning sign on top right –> Click on “Promote the server to a domain controller” –> In Deployment configuration, click on “Add a new forest” –> set DSRM administrator password –> Click Next –> Verify NETBIOS and change if needed ( I did not change it in my case ) –> Keep the location of AD DS database/log files to default value –> Review and click Next –> Make sure that all the pre-requisite checks are passed –> Click on Install –> Close the window after installation.
Please refer below screenshots if required:
Step 6 – Configure LDAPS for AD. First step is to install active directory certificate services.
Please follow below steps to install AD CS:
Click on Server Manager –> Add roles and features –> Next –> On “Select installation type” page, make sure to select Role-based or feature-based installation –> Next –> Select server on destination server page –> Select “Active Directory Certificate services” and click on Add features –> Next –> Next –> Next –> Please ensure that “Certificate Authority” is selected on “Select role services” page –> Next –> Install –> Close.
Please follow below steps to configure AD CS:
Click on Notification Icon on Server Manager Dashboard –> Click on “Configure Active Directory Certificate Services on the Destination Server” –> Please ensure that the default user is a member of administrator group(Screenshot – Step1) –> Next –> Select “Certificate Authority” on Select Role Services page(Screenshot – Step2) –> Next –> Select “Enterprise CA” on Setup type(Screenshot – Step3) –> Next –> Select “Root CA” on Specify the type of CA page(Screenshot – Step4) –> Next –> Create new private key(Screenshot – Step5) –> Next –> Keep default options for “Cryptography for CA”(Screenshot – Step6) –> Next –> Specify Name of the CA as per your requirement(Screenshot – Step7) –> Next –> Set validity period ( Keep it to default 5 years ) –> Next –> Specify “Certificate Database location” & “Certificate Database log location”(Screenshot – Step8)–> Click on Configure. –> Close (Screenshot – Step9)
Please refer below screenshots:
Step 7: Importing AD certificate to linux host(s)
Install Openldap services:
sudo yum -y install openldap-clients ca-certificates
Add AD certificate to your linux host(s):
openssl s_client -connect <AD-server-FQDN>:636 <<<'' | openssl x509 -out /etc/pki/ca-trust/source/anchors/ad.crt
Update CATrust certificates:
sudo update-ca-trust force-enable sudo update-ca-trust extract sudo update-ca-trust check
Configure your AD server to be trusted:
sudo tee -a /etc/openldap/ldap.conf > /dev/null << EOF TLS_CACERT /etc/pki/tls/cert.pem URI ldaps://<your-ad-server-fqdn> ldap://<your-ad-server-fqdn> BASE dc=<your-dc>,dc=<your-dc> EOF
Test connection to AD using openssl client:
openssl s_client -connect <ad-server-fqdn>:636 </dev/null
Step 8: Configure Kerberos with AD using Ambari
Please follow below Hortonworks documentation to configure Kerberos with AD using Ambari.