You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2017/11/06 17:08:33 UTC

[NOTICE] FQDN is needed for MIT KDC admin_server_host value

Team…

I wanted to alert to you a change that was added to the trunk via AMBARI-22293 (https://issues.apache.org/jira/browse/AMBARI-22293).    As of this change, when enabling Kerberos using either the existing MIT KDC or IPA server options, it is required that the kerberos_env/admin_server_host value is set to the fully qualified domain name (FQDN) of the host were the KDC administrator service is.

Whether you are using this version or any previous version, the FQDN should be used for this value; however, before the patch for AMBARI-22293 was committed, a short name or IP address worked for the MIT KDC option (but probably not for the IPA option).

The reason the FDQN is now needed is due to the new way we will be authenticating with the MIT KDC when calling kdamin to manage principals.  Historically we called kadmin and passed in the username and password for authentication.  The password was supplied to the command via a pipe to STDIN when executing the call.  This was relatively slow since this needed to be done for each call to kadmin and I believe may have been a cause of authentication failures under heavy load.

As of this patch, authenticating with kdamin is done using a Kerberos ticket.  Therefore, at the beginning of a session, kinit is called. The username and password are passed in as we previously did for kinit, but this is now needed to be done once per session.  For example, a session may be as short as

                kinit
                kadmin
                kdestroy

or as long as

                kinit
                kadmin
                kadmin
…
                kadmin
                kdestroy

depending on what the operation is doing.

For the MIT KDC’s kadmin server, we need to provide a service ticket for the kadmin admin server.  To obtain the service ticket while authenticating, we need to issue a kinit call like

                kinit -S kadmin/<KDC_FQDN> <ADMIN_PRINCIPAL >

The KDC_FQDN value is taken from the kerberos_env/admin_server_host value. This is why it must be a FQDN.

I hope this change does not cause too much inconvenience, especially during upgrade scenarios; but I believe that it is a better model and helps with code reuse for KDC server implementations (like FreeIPA).

Thanks,
Rob