Tag : kerberos-hortonworks

Setup and configure Active Directory server for Kerberos

In this tutorial we will see how to setup and configure Active Directory server for Kerberos authentication on HDP cluster.

Environment details used to setup and configure active directory server for kerberos.

Windows server –  2012 r2.

HDP Cluster – 2.6.X

Ambari – 2.5.X

Let’s get started! When you have nothing configured, this is how Server Manager would look like:

crazyadmins.com

crazyadmins.com

 

Step 1 – Configure hostname for your AD.

Let’s begin by configuring relevant hostname for your active directory server.

To change computer name, Open Server Manager –> Click on Local Server in the left pane –> Click on Computer name –> Write Computer description(Optional) –> Click on “Change” button –> Type in your new computer name –> Save the changes and restart your computer (Yeah! It’s frustrating to restart every time you change something in windows, that’s how it is :( )

crazyadmins.com

crazyadmins.com – Change computer name

 

Step 2 – Configure static IP:

Open Powershell and run “IPConfig /all” to get existing IP address, Gateway and DNS IP addresses. Note down the current configuration.

Example:

crazyadmins.com - current_ip_configs

crazyadmins.com – current_ip_configs

 

Open Control Panel –> Network and Internet –> Network and Sharing Center –> Click on Ethernet –> Click on Properties in Ethernet properties –> Goto Internet protocol version 4 –> Click on properties –> Click on Use following IP addresses and enter information noted in the previous step.

Please refer below screenshot.

crazyadmins.com - change_ip

crazyadmins.com – change_ip

 

Step 3 – Install DNS

Open Server Manager –> Click on “Add Roles and Features” –> Click Next –> Select “Role-based or feature-based installation” –> Select a server from server-pool (Your AD server’s hostname should get displayed) –> Select “DNS Server” –> Click on “Add Features” –> Click on Next button –> Click on Next button –> Click on Install –> Finally click on Close button once installation is complete.

Please refer series of screenshots for your reference below:

crazyadmins.com

crazyadmins.com

 

crazyadmins.com

crazyadmins.com

 

crazyadmins.com

crazyadmins.com

crazyadmins.com

crazyadmins.com

crazyadmins.com

crazyadmins.com

 

Step 4 – Configure domain controller

Please open Server Manager –> Click on Add Roles and Features under dashboard –> Click on Next –> Select “Role-based or feature-based installation” and Click on Next –> Keep the default selecion and click on Next –> Tick “Active Directory Domain Services” –> Click on “Add Features” –> Click on Next –> Keep the default selection for “Select one or more features to install” –> Click on Next button –> Next –> Click on install at “Confirm installation selections” page –> Once installation is done, you can close the window.

Please refer below screenshots if required:

 

 

crazyadmins.com

crazyadmins.com

 

select_ad

 

add_feature

 

 

ad_install

 

 

ad_install_inpro

 

 

 

ad_installationcomplete

 

 

Step 5 – Promote the server to a domain controller

Click on Flag icon showing yellow warning sign on top right –> Click on “Promote the server to a domain controller” –> In Deployment configuration, click on “Add a new forest” –> set DSRM administrator password –> Click Next –> Verify NETBIOS and change if needed ( I did not change it in my case ) –> Keep the location of AD DS database/log files to default value –> Review and click Next –> Make sure that all the pre-requisite checks are passed –> Click on Install –> Close the window after installation.

Please refer below screenshots if required:

 

promote

 

 

new_forest

 

 

domain_controller_options

 

 

 

verify_netbios

 

 

keep_default_paths

 

 

review_options

 

 

 

 

prerequisites-check

 

 

prerequisites-check

 

 

Step 6 – Configure LDAPS for AD. First step is to install active directory certificate services.

Please follow below steps to install AD CS:

Click on Server Manager –> Add roles and features –> Next –> On “Select installation type” page, make sure to select Role-based or feature-based installation –> Next –> Select server on destination server page –> Select “Active Directory Certificate services” and click on Add features –> Next –> Next –> Next –> Please ensure that “Certificate Authority” is selected on “Select role services” page –> Next –> Install –> Close.

Please follow below steps to configure AD CS:

Click on Notification Icon on Server Manager Dashboard –> Click on “Configure Active Directory Certificate Services on the Destination Server”  –> Please ensure that the default user is a member of administrator group(Screenshot – Step1) –> Next –> Select “Certificate Authority” on Select Role Services page(Screenshot – Step2) –> Next –> Select “Enterprise CA” on Setup type(Screenshot – Step3) –> Next –> Select “Root CA” on Specify the type of CA page(Screenshot – Step4) –> Next –> Create new private key(Screenshot – Step5) –> Next –> Keep default options for “Cryptography for CA”(Screenshot – Step6) –> Next –> Specify Name of the CA as per your requirement(Screenshot – Step7) –> Next –> Set validity period ( Keep it to default 5 years ) –> Next –> Specify “Certificate Database location” & “Certificate Database log location”(Screenshot – Step8)–> Click on Configure. –> Close (Screenshot – Step9)

Please refer below screenshots:

Step 1:

1.creds

 

Step 2:

2.select_certification_auth

 

Step 3:

3.select_enterprise_CA

 

Step 4:

4.select_root_CA

 

Step 5:

5.create_new_private_key

 

Step 6:

6.select_default_option

 

Step 7:

7.specify_name-CA

 

 

Step 8:

8.confirmation_adca

 

 

Step 9:

9.successful

 

 

Step 7: Importing AD certificate to linux host(s)

Install Openldap services:

sudo yum -y install openldap-clients ca-certificates

 

Add AD certificate to your linux host(s):

openssl s_client -connect <AD-server-FQDN>:636 <<<'' | openssl x509 -out /etc/pki/ca-trust/source/anchors/ad.crt

 

Update CATrust certificates:

sudo update-ca-trust force-enable
sudo update-ca-trust extract
sudo update-ca-trust check

Configure your AD server to be trusted:

sudo tee -a /etc/openldap/ldap.conf > /dev/null << EOF
TLS_CACERT /etc/pki/tls/cert.pem
URI ldaps://<your-ad-server-fqdn> ldap://<your-ad-server-fqdn>
BASE dc=<your-dc>,dc=<your-dc>
EOF

 

Test connection to AD using openssl client:

openssl s_client -connect <ad-server-fqdn>:636 </dev/null

 

Step 8: Configure Kerberos with AD using Ambari

Please follow below Hortonworks documentation to configure Kerberos with AD using Ambari.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.4/bk_security/content/configuring_amb_hdp_for_kerberos.html

 

Please comment if you have any feedback/questions/suggestions. Happy Hadooping!! :)

facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Automated Kerberos Installation and Configuration

Automated Kerberos Installation and Configuration – For this post, I have written a shell script which uses Ambari APIs to configure Kerberos on HDP Single or Multinode clusters. You just need to clone our github repository and modify property file according to your cluster environment, execute setup script and phew!! Within 5-10 minutes you should have your cluster completely secured by Kerberos! Cool isn’t it? :)

 

Detailed Steps(Demo on HDP Sandbox 2.4):

 

1. Clone our github repository on your local machine or one of the node in your Hadoop Cluster.

git clone https://github.com/crazyadmins/useful-scripts.git

Sample Output:

[root@sandbox ~]# git clone https://github.com/crazyadmins/useful-scripts.git
Initialized empty Git repository in /root/useful-scripts/.git/
remote: Counting objects: 29, done.
remote: Compressing objects: 100% (25/25), done.
remote: Total 29 (delta 4), reused 25 (delta 3), pack-reused 0
Unpacking objects: 100% (29/29), done.

 

2. Goto useful-scripts/ambari directory

[root@sandbox ~]# cd useful-scripts/ambari/
[root@sandbox ambari]# ls -lrt
total 16
-rw-r--r-- 1 root root 5701 2016-04-23 20:33 setup_kerberos.sh
-rw-r--r-- 1 root root 748 2016-04-23 20:33 README
-rw-r--r-- 1 root root 366 2016-04-23 20:33 ambari.props
[root@sandbox ambari]#

 

3. Copy setup_kerberos.sh and ambari.props to the host where you want to setup KDC Server

 

4. Edit and modify ambari.props file according to your cluster environment

Sample output for my Sandbox

[root@sandbox ambari]# cat ambari.props
CLUSTER_NAME=Sandbox
AMBARI_ADMIN_USER=admin
AMBARI_ADMIN_PASSWORD=admin
AMBARI_HOST=sandbox.hortonworks.com
KDC_HOST=sandbox.hortonworks.com
REALM=HWX.COM
KERBEROS_CLIENTS=sandbox.hortonworks.com
##### Notes #####
#1. KERBEROS_CLIENTS - Comma separated list of Kerberos clients in case of multinode cluster
#2. Admin princial is admin/admin and password is hadoop
[root@sandbox ambari]#

 

5. Start installation by simply executing setup_kerberos.sh

Notes:

1. Please run setup_kerberos.sh from KDC_HOST only, you don’t need to setup or configure KDC, this script will do everything for you.

2. If you are running script on Sandbox then please turn OFF maintenance mode for HDFS and turn ON maintenance mode for Zepplin Notebook before executing the script.

sh setup_kerberos.sh

 

Screenshots:

1. Before Script Execution
Automated Kerberos Installation and Configuration

 

 

2. Script execution is in progress

Automated Kerberos Installation and Configuration

 

3. Script finished

Automated Kerberos Installation and Configuration

 

 

4. Ambari UI shows Kerberos is enabled.

Automated Kerberos Installation and Configuration

 

 

Please comment if you have any feedback/questions/suggestions. Happy Hadooping!! :)

 

facebooktwittergoogle_plusredditpinterestlinkedinmailby feather