How to setup Kerberos authentication with Windows Active Directory in HDB
search cancel

How to setup Kerberos authentication with Windows Active Directory in HDB

book

Article ID: 294857

calendar_today

Updated On:

Products

Services Suite

Issue/Introduction

This article shows how to setup a Kerberos authentication with Windows AD service. Please refer to HDB docs for more information. 


Prerequisites

  • HDB cluster (tested on 2.x).
  • Windows Server installed with Active Directory service (tested on Windows Server 2012).


Environment


Resolution

1. Log onto Windows Server as a user with administrator permission.

2. Select Start -> Control Panel -> Administrative Tools -> Active Directory Users and Computers. If "Active Directory Users and Computers" doesn't exist, it might mean the Active Directory service has not been installed correctly. If this is the case, contact the system administrator for assistance.


3. On the "Active Directory Users and Computers" window, right click on Managed Service Accounts under the tree view of the local domain ("DATA.LOCAL" in this example) and select New -> User.


4. On the popup "New Object -User" window, input the following:

    First name: gpadmin

    User logon name: gpamdin


5. Click Next and input password and enable checkbox "Password never expires." Click Next and then Finish.


6. Add a Service Principal Name (SPN) for the account just created.

PS C:\Users\Administrator> setspn -A postgres/hdp3.example.com gpadmin

NOTE: "hdp3.exmaple.com" here is FQDN of HDB master host. Make sure it's resolvable on the Windows server running AD service


7. Generate a keytab file with the ktpass command.


Format

ktpass -princ postgres/<FQDN of HDB master> -pass <password> -mapuser <Managed Service Account name> -crypto ALL -ptype KRB5_NT_PRINCIPAL -out <keytab filename> -kvno 0

PS C:\Users\Administrator> ktpass -princ postgres/hdp3.example.com@DATA.LOCAL -pass abcd1234 -mapuser gpadmin -crypto ALL -ptype KRB5_NT_PRINCIPAL -out hdp3.keytab -kvno 0
Targeting domain controller: WIN-TIH2EBEERUK.DATA.LOCAL
Using legacy password setting method
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to hdp3.keytab:
Keytab version: 0x502
keysize 61 postgres/hdp3.example.com@DATA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x1 (DES-CBC-CRC) keylength 8 (0xa8d0405789a8469e)
keysize 61 postgres/hdp3.example.com@DATA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x3 (DES-CBC-MD5) keylength 8 (0xa8d0405789a8469e)
keysize 69 postgres/hdp3.example.com@DATA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x17 (RC4-HMAC) keylength 16 (0x161cff084477fe596a5db81874498a24)
keysize 85 postgres/hdp3.example.com@DATA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x12 (AES256-SHA1) keylength 32 (0x20648bd82de77bf66a1dcac4b3050bc308f2cc38f4a13e814ad5bd30e67ef388)
keysize 69 postgres/hdp3.example.com@DATA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x11 (AES128-SHA1) keylength 16 (0xa026bb25aa495af5334cd4f185d33071):

8. Transfer the generated keytab file to the HDB master. And change the ownership of the keytab file to "gpadmin:gpadmin" and change the mode to 600.

[gpadmin@hdp3 ~]$ ls -l hdp3.keytab -rw-------. 1 gpadmin gpadmin 367 Jun 7 21:48 hdp3.keytab

9. Follow the instructions in the HDB docs to install the Kerberos packages on the HAWQ master.


10. Edit the /etc/krb5.conf configuration file. The following example shows a Kerberos server with a default DATA.LOCAL realm.

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 default_realm = DATA.LOCAL
 default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
 default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
[realms]
 DATA.LOCAL = {
 kdc = <KDC Hostname>:88
 admin_server = <KDC Hostname>:749
 }
[domain_realm]
<KDC Hostname> = DATA.LOCAL
 .<KDC Hostname> = DATA.LOCAL
 .data.local = DATA.LOCAL
 data.local = DATA.LOCAL

11. Modify hawq-site.xml to specify the location of the keytab file. For example, adding this line to the hawq-site.xml specifies the folder /home/gpadmin as the location of the keytab file hdp3.keytab. Note that the change should be made throug the Ambari web UI if Ambari is used to manage the HDB service.

<property>
    <name>krb_server_keyfile</name>
    <value>/home/gpadmin/hdp3.keytab</value>
 </property>

12. Modify the HDB file pg_hba.conf to enable Kerberos support. Then restart HDB (hawq restart cluster -a). Restart HDB service on Ambari web if Ambari is used to manage HDB service.

For example, adding the following line to pg_hba.conf adds GSSAPI and Kerberos support. The value for krb_realm is the Kerberos realm that is used for authenticate the HDB.

host all all 0.0.0.0/0 gss include_realm=0 krb_realm=DATA.LOCAL
13. Create a ticket using kinit and show the tickets in the Kerberos ticket cache with klist. 
[gpadmin@hdp3 ~]$ kinit gpadmin
Password for gpadmin@DATA.LOCAL: 
[gpadmin@hdp3 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1002
Default principal: gpadmin@DATA.LOCAL
Valid starting Expires Service principal
06/08/17 09:24:19 06/08/17 19:24:33 krbtgt/DATA.LOCAL@DATA.LOCAL
 renew until 06/15/17 09:24:19

If kinit failed with error "Preauthentication failed while getting initial credentials" then try to enable "Do not require Kerberos preauthentication" box in "Account options" view on the AD server.


14. As a test, log in to the database as the gpadmin role with the Kerberos credentials gpadmin.

$ psql -U gpadmin -h hdp3.example.com template1


Additional Information

For more information, refer to the following: 



Powered by Wolken Software