Kerberos Series -Part I (Ticket Lifetime)

         Kerberos is an integral part of Bigdata cluster security infrastructure. Setting up and configuring Kerberos cluster can be overwhelming for beginners. Through this blog I am trying to simplify different administration tasks involved with Kerberos.
 Kerberos infrastructure consists of client and server components. Server consists of two parts daemons , KDC server whose job is to issue and validate tickets . Kadmin server which is used for administrating the KDC.
Modify the default life time (24hrs) of Kerberos ticketsIf for some reason you want to modify the default lifetime of Kerberos tickets, following steps will help

1. Edit the file /etc/krb5.conf on KDC server node, add max_life property for the domains you intend to modify the ticket lifetime ,

[realms]
DOMAIN.COM = {
admin_server = kdcserver.domain.com
kdc = kdcserver.domain.com
max_life = 180d
}
2. Restart kdc server, using following command
service krb5kdc restart
3. On Kerberos client machines modify default ticket lifetime , by modifying the /etc/krb5.conf file as following,
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = DOMAIN.COM
ticket_lifetime = 20d
dns_lookup_realm = false
dns_lookup_kdc = false
default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

This is optional step, if not specified default lifetime will be 24 hours , it has to be overridden from kinit command to modify the lifetime.

4. Login to kadmin or kadmin.local and modify the max life for principals and krbtgt service principal

kadmin -p root/admin

kadmin: modprinc -maxlife “20days” krbtgt/DOMAIN.COM
Principal “krbtgt/DOMAIN.COM@DOMAIN.COM” modified.

kadmin: modprinc -maxlife “20days” hdfs/DOMAIN.COM

Congratulations you have successfully extended lifetime of your Kerberos principal tickets.

Additional information: If you decide not to set the default lifetime of tickets on a client machine . Then Ignore step 3, instead pass the ticket lifetime as a parameter to kinit command as shwon following

kinit -l “10d” -kt /etc/security/keytabs/hdfs.keytabs hdfs/DOMAIN.COM

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s