Kerberos Installation Example - HDP 2.4


This document should only be used for DEV/Sandbox installation purposes. It is useful to help quickly Kerberize your Hortonworks sandbox so that you can test Kerberos features.



Java must be installed on all client nodes.

$ java -version
java version "1.7.0_80"
Java(TM) SE Runtime Environment (build 1.7.0_80-b15)
Java HotSpot(TM) 64-Bit Server VM (build 24.80-b11, mixed mode)

$ echo $JAVA_HOME

Install Java Cryptography Extensions (JCE)

sudo wget -nv --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" -O /usr/java/jdk1.7.0_80/jre/lib/security/
cd /usr/java/jdk1.7.0_80/jre/lib/security

sudo unzip
sudo cp UnlimitedJCEPolicy/* .
#sudo rm -r UnlimitedJCEPolicy*

ls -l

Test Java Cryptography Extension

Create a java and paste below mentioned code in it.

$ vi

import javax.crypto.Cipher;
class Test {
public static void main(String[] args) {
try {
  System.out.println("Hello World!");
  int maxKeyLen = Cipher.getMaxAllowedKeyLength("AES");
} catch (Exception e){
  System.out.println("Sad world :(");


$ javac

Run test. The expected number is: 2147483647.

$ java Test

Hello World!


Install Kerberos

On a cluster, go to the master node for installation of Kerberos utilities.

  1. Install a new version of the KDC server:
yum install krb5-server krb5-libs krb5-workstation
  1. Using a text editor, open the KDC server configuration file, located by default here:
vi /etc/krb5.conf
  1. Change the [realms], as below, to Update KDC and Admin Server Information.
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

  default_realm =
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true

[realms] = {
  kdc =
  admin_server =
  1. Update /var/kerberos/krb5kdc/kdc.conf. Change the [realms] as
   kdc_ports = 88
   kdc_tcp_ports = 88

[realms] = {
      #master_key_type = aes256-cts
      acl_file = /var/kerberos/krb5kdc/kadm5.acl
      dict_file = /usr/share/dict/words
      admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
      supported_enctypes = aes256-cts:normal aes128-cts:normal
      des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal
      des-cbc-md5:normal des-cbc-crc:normal
  1. Update /var/kerberos/krb5kdc/kadm5.acl and replace EXAMPLE.COM with
*/ *
  1. Create the Kerberos Database. Use the utility kdb5_util to create the Kerberos database. Enter the password: thinkbig.
kdb5_util create -s
  1. Start the KDC. Start the KDC server and the KDC admin server.
/etc/rc.d/init.d/krb5kdc start
/etc/rc.d/init.d/kadmin start


systemctl start krb5kdc.service
systemctl start kadmin.service
  1. When installing and managing your own MIT KDC, it is important to set up the KDC server to auto-start on boot.
chkconfig krb5kdc on
chkconfig kadmin on


systemctl enable krb5kdc.service
systemctl enable kadmin.service
  1. Create a KDC admin by creating an admin principal. Enter the password: thinkbig.
kadmin.local -q "addprinc admin/admin"
  1. Confirm that this admin principal has permissions in the KDC ACL. Using a text editor, open the KDC ACL file:
vi /var/kerberos/krb5kdc/kadm5.acl
  1. Ensure that the KDC ACL file includes an entry that allows the admin principal to administer the KDC for your specific realm. The file should have an entry:
*/ *
  1. After editing and saving the kadm5.acl file, restart the kadmin process.
/etc/rc.d/init.d/kadmin restart
/etc/rc.d/init.d/krb5kdc restart


systemctl restart kadmin.service
systemctl restart krb5kdc.service
  1. Create a user in Linux by typing the adduser command as shown below. We will use this user to test whether the Kerberos authentication is working or not. We will first run the command hadoop fs -ls / but switching to this user. And we will run the same command again when we enable Kerberos.
adduser testUser
su testUser
hadoop fs -ls /

Install Kerberos on an HDP Cluster

  1. Open Ambari and then go to admin tab and select Kerberos.


  2. Click on enable Kerberos. Then following screen will display. Tick the checkboxes as shown in this screenshot, then click Next.


  3. Put in the KDC tab and click to test the KDC connection. Then, in Kadmin, put as host and admin principal as *admin/*, and enter the password created in step 7.

    Leave the advanced Kerberos-env and advanced krb5-conf as it is. And click Next.


  4. Download the .csv file and save it.


  1. Click Next through the end of the process, until finally you can click Complete.


Make sure all services started properly. Kerberos is successfully installed on the cluster.