Kerberos is Easy

  [dbadmin@vertica-247 ~]$ vsql -U bob -h vertica-247 Welcome to vsql, the Vertica Analytic Database interactive terminal. Type:  \h or \? for help with vsql commands        \g or terminate with semicolon to execute query        \q to quit bob=> [dbadmin@vertica-247 ~]$ vsql -U bob -k vertica -K vertica-247.vcorp.com -h vertica-247 -c "select client_authentication_name, authentication_method from sessions;"  client_authentication_name | authentication_method ----------------------------+-----------------------  v_kerberos                 | GSS-Kerberos (1 row) [dbadmin@vertica-247 ~]$ vsql -U dbadmin -k vertica -K vertica-247.vcorp.com -h vertica-247 -c "select client_authentication_name, authentication_method from sessions;" vsql: FATAL 3495:  GSSAPI authentication failed for user "dbadmin" [dbadmin@vertica-247 ~]$ vsql -U dbadmin -k vertica -K vertica-247.vcorp.com -h vertica-247 -c "SELECT KERBEROS_CONFIG_CHECK();" vsql: FATAL 3495:  GSSAPI

 check ifcfg-ens resolv.com /etc/hosts /etc/hostname yum install -y krb5-server krb5-workstation pam_krb5 cd /var/kerberos/krb5kdc/ edit kadm5.acl and kdc.conf <Enter domain name> in file "/etc/krb5.conf" enter domain name and hostname.domainname. --Create kerberos database for domain. Run command kdb5_util create -s -r VCORP.COM Enter KDC Master Key: joo-N1e systemctl start krb5kdc kadmin systemctl enable krb5kdc kadmin --For Restarting services systemctl restart krb5kdc systemctl restart kadmin kadmin.local listprincs (5 services will be displayed) Add root to admin user: addprinc root/admin addprinc vertica-249 Password will be asked. It could be different from normal root user. I gave joo-N1e add host to kerberos addprinc -randkey host/vertica-248.vcorp.com Add database details in local kerberos directory: ktadd host/vertica-244.vcorp.com addprinc root quit from kadmin.local console: quit Configure kerberos authentication through client: vi /etc/ssh/ssh_config Set:

 1) To see where HDFS is running: hdfs getconf -confKey fs.default.name 2) Exception encountered while connecting to the server org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS] Resolution: in krb5.conf comment below lines: # default_ccache_name = KEYRING:persistent:%{uid} 3) Failed to add storage directory [DISK]file:/storage/data Solution to Fix: Solution 1=> If you have valid data on cluster and do not want to delete it then, copy the clusterID from VERSION file of namenode and past it on datanode VERSION file. Solution 2 => delete all files from <dfs.datanode.data.dir> of datanode and<dfs.datanode.data.dir> of namenode directory and format namenode using below command 4) Restart Namenode: sbin/hadoop-daemon.sh start namenode 5) mkdir: Permission denied: user=root, access=WRITE, inode="/user":hdfs:supergroup:drwxr-xr-x Resolution: <<<<Need to retry because when kinit root was run, this started

 curl -s --noproxy "*" --negotiate -u: -X GET "http://q18v06.verticacorp.com:50070/webhdfs/v1/?op=GETDELEGATIONTOKEN" ALTER SESSION SET  HadoopImpersonationConfig = '[{"authority":"q18v06.verticacorp.com:50070", "token":"JgAHcmVsZWFzZQdyZWxlYXNlAIoBfDJbvauKAXxWaEGrjs63jgL6FDxfYHMkmtJuCoUB9AGl9AjM-MPREldFQkhERlMgZGVsZWdhdGlvbhExMC4yMC4xMDAuNTU6ODAyMA"}]'; drop table test; CREATE EXTERNAL TABLE test (id int) AS COPY FROM 'webhdfs://q18v06.verticacorp.com:50070/user/release/data/pq.parquet' PARQUET; select * from test; curl "http://q18v06.verticacorp.com:50070/webhdfs/v1/user/release/data/pq.parquet?op=GETFILESTATUS&delegation=JgAHcmVsZWFzZQdyZWxlYXNlAIoBfDJbvauKAXxWaEGrjs63jgL6FDxfYHMkmtJuCoUB9AGl9AjM-MPREldFQkhERlMgZGVsZWdhdGlvbhExMC4yMC4xMDAuNTU6ODAyMA"

 Active Directory Setup Skip to end of metadata Install pre-requisite: yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python -y cat /etc/resolv.conf search example.com nameserver 192.168.1.2 realm join --user=administrator@<Domain Name> <Domain Name> realm list id administrator@vcorp.com https://www.rootusers.com/how-to-join-centos-linux-to-an-active-directory-domain/ systemctl enable ntpd.service ntpdate <Domain Name> systemctl start ntpd.service Machine is added on the Windows Active Directory. Confirm by "realm List". Also we can see it on "Active Directory Users and Computers" on Domain host under DomainName >> computers 1) Install JDK 2) set KRB5CCNAME=%USERPROFILE%\krb5cache 3) Generate keytab and move to client. Principal name in Windows MIT Client is username@REALM.COM Ksetup needs cmd to be invoked through Admnistrator 4) ksetup /mapuser toad@VCO

 Need 4 servers 1 VM CentOS with Vertica 9.2 2 Windows 2016 servers 4cpu 16gb memory (1 for AD and one for Tableau Server) 1 Windows 10 4cpu 16GB (1 for Tableau Desktop) Keys Tableau  Server – Key -  TSUF-234B-2F60-FFAE-1757 Tableau Deskop – Key - TC62-D3D8-3F00-C359-71FD Need 4 ips in partner area, all on same subnet 172.16.122.20   active-dir-partners.vertica.com 172.16.122.21   venus1.vertica.com 172.16.122.23   tabdesk.vertica.com 172.16.122.24   tabserv.vertica.com 24 = changed Windows Firewall, Inbound, File and Printer Sharing ICMB in ipv4 to enabled per https://www.rootusers.com/how-to-enable-ping-in-windows-server-2016-firewall/ 20 = changed net adapter DNS from 127.0.0.1 to 172.16.122.20 and secondary 10.10.10.85 and restarted to get internet connection Active Directory (active-dir-partners.vertica.com) : • Installed Active directory, DNS and LDAP servers • Named AD active-dir-partners.vertica.com • Created Domain VERTICA.COM • added dns for Tableau Server, Tableau De