Configuring Kerberos Authentication Using Local KDC and Active Directory KDC
The Big Data Service cluster provisions local MIT KDC by default. The cluster can be also be provisioned to use Active Directory KDC for users belonging to the Active Directory domain. You must also requires setting up cross trust between the two realms.
Updating Ambari to Use Active Directory KDC
- Login to the Ambari UI associated with your Big Data Service cluster.
- From the left navigation menu, under Services click Kerberos.
- Click the Configs tab and then expand the Advanced krb5-conf section.
-
Modify the krb5-conf template field similar to the following content:
{# # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. #} [libdefaults] renew_lifetime = 7d forwardable = true default_realm = {{realm}} ticket_lifetime = 24h dns_lookup_realm = false dns_lookup_kdc = false #default_ccache_name = /tmp/krb5cc_%{uid} #default_tgs_enctypes = {{encryption_types}} #default_tkt_enctypes = {{encryption_types}} {% if domains %} [domain_realm] {%- for domain in domains.split(',') %} {{domain|trim()}} = {{realm}} {%- endfor %} {% endif %} example.oraclevcn.com = <ad-realm> [logging] default = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log kdc = FILE:/var/log/krb5kdc.log [realms] {{realm}} = { {%- if master_kdc %} master_kdc = {{master_kdc|trim()}} {%- endif -%} {%- if kdc_hosts > 0 -%} {%- set kdc_host_list = kdc_hosts.split(',') -%} {%- if kdc_host_list and kdc_host_list|length > 0 %} admin_server = {{admin_server_host|default(kdc_host_list[0]|trim(), True)}} {%- if kdc_host_list -%} {%- if master_kdc and (master_kdc not in kdc_host_list) %} kdc = {{master_kdc|trim()}} {%- endif -%} {% for kdc_host in kdc_host_list %} kdc = {{kdc_host|trim()}} {%- endfor -%} {% endif %} {%- endif %} {%- endif %} } {# Append additional realm declarations below #} <ad-realm> = { admin_server = server-example.oraclevcn.com:749 kdc = kdc-example.oraclevcn.com:88 default_domain = domain-example.oraclevcn.com } [capaths] <ad-realm> = { <your-local-realm> = . } - Save the configuration and restart all the affected services.
- Navigate to HDFS > Configs > Advanced > Advanced core-site.
-
Change the
hadoop.security.auth_to_localparameter to include the following:RULE:[1:$1@$0](.*@<ad-realm>)s/@.*//Example:
RULE:[2:$1@$0](yarn@EXAMPLE.ORACLE.COM)s/.*/yarn/ RULE:[2:$1@$0](yarn-ats-hbase@EXAMPLE.ORACLE.COM)s/.*/yarn-ats/ RULE:[1:$1@$0](.*@EXAMPLE.REALM)s/@.*// DEFAULT
Setting Up Cross Realm Trust Between Domains
You can set up a one-way cross-realm trust from a local Key Distribution Center (KDC) to the Active Directory realm in a Big Data Service ODH kerberos enabled cluster.
Configuring the Active Directory Server
- To set the preferred encrption type in the Active Directory (AD) server, open the Group Policy Management dialog (Start > Windows Administrative Tools Group Policy Management).
- In the Group Policy Management dialog, navigate to the Forest: <ad-realm> > Domains > <ad-realm> folder.
- Right-click Default Domain Policy and select Edit.
- In the Group Policy Management Editor, navigate to Security Options by explanding Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
- Ensure that the Security Options folder is selected and then double-click policy Network security: Configure encryption types allowed for Kerberos.
-
Configure the required encryption type allowed for Kerberos from the dialogue box. We recommend using the strongest encryption type supported on Big Data Service, which is
AES256_HMAC_SHA1. Select the policy and then click OK. -
Set the encryption on the command line by adding the local realm trust to Active Directory.
netdom trust <your-local-realm> /Domain:<ad-realm> /add /realm /passwordt:<trust-password>Example:
C:\Users\administrator> netdom trust EXAMPLE.ORACLE.COM /Domain:EXAMPLE.REALM /add /realm /passwordt:Welcome1 > The command completed successfully. -
Set the proper encryption type.
ksetup /SetEncTypeAttr <your-local-realm> <enc_type>The <enc_type> parameter specifies AES, DES, or RC4 encryption. Choose from the following table:
Encryption Name Used by the AD Encryption Policy Encryption Name Supported by ksetup:setenctypeattr DES_CBC_CRC DES-CBC-CRC DES_CBC_MD5 DES-CBC-MD5 RC4_HMAC_MD5 RC4-HMAC-MD5 AES128_HMAC_SHA1 AES128-CTS-HMAC-SHA1-96 AES256_HMAC_SHA1 AES256-CTS-HMAC-SHA1-96 Example:
C:\Users\Administrator> ksetup /SetEncTypeAttr EXAMPLE.ORACLE.COM AES256-CTS-HMAC-SHA1-96 > Setting enctypes for domain EXAMPLE.ORACLE.COM to:AES256-CTS-HMAC-SHA1-96 -
Verify the list of encryption types set.
ksetup /GetEncTypeAttr <your-local-realm>Example:
C:\Users\administrator> ksetup /GetEncTypeAttr EXAMPLE.ORACLE.COM > Enctypes for domain EXAMPLE.ORACLE.COM: AES256-CTS-HMAC-SHA1-96
Configuring the Master MIT KDC Server
-
Run the following command as root on the master KDC, which is located on the first master node (mn0) of the Big Data Service cluster.
kadmin.local -
Add the cross-realm
krbtgtprincipal.kadmin.local: addprinc -e "<enc_type_list>" krbtgt/<your-local-realm>@<ad-realm>You're prompted to enter a password. Use the same password you used in the netdom command on the Active Directory server.
Example:
kadmin.local: addprinc -e "aes256-cts:normal" krbtgt/<EXAMPLE_USER>@<EXAMPLE.REALM> > WARNING: no policy specified for krbtgt/<EXAMPLE_USER>@<EXAMPLE.REALM>; defaulting to no policy > Enter password for principal "krbtgt/<EXAMPLE_USER>@<EXAMPLE.REALM>": > Re-enter password for principal "krbtgt/<EXAMPLE_USER>@<EXAMPLE.REALM>": > Principal "krbtgt/<EXAMPLE_USER>@<EXAMPLE.REALM>" created.
Note
The encryption type on Big Data Service has a different naming convention than on the Active Directory server. For example, if
The encryption type on Big Data Service has a different naming convention than on the Active Directory server. For example, if
AES256-CTS-HMAC-SHA1-96 is used on the Active Directory server, the corresponding type on Big Data Service is aes256-cts:normal.