• doddy.sebastianus

Setting up CM and CDH with Freeipa

Recently, we came across a customer who wanted to setup a kerberized cluster but they do not have an active directory server in their infrastructure. Therefore, we needed to find a solution for LDAP + Kerberos cluster.  After many trials, research and time constraint, we decided to use freeipa solution to provide LDAP + Kerberos server. We are glad with our choice since freeipa actually provides much more than we wish for.


Versions:

Cloudera Manager: 6.3

CDH: 6.2.1

IPA : 4.6.5

OS: RHEL 7.5


High level Steps:

  1. Install ipa-server 

  2. Configure ipa-server using ipa-server-install 

  3. Create users and groups

  4. Configure DNS Entries

  5. Install ipa-client on CDH nodes

  6. Configure ipa-client using ipa-client-install 

  7. Test (kinit, klist, kdestroy, etc)

Install ipa-server

This is straight forward as executing 'yum install ipa-server'


Configure ipa-server using ipa-server-install 

Our experience Installing ipa-server was a bit bumpy to say the least. Our OS is RHEL 7.5 and we followed the documentation and various guides on the web. ipa-server-install could not finished successfully. It always stucked after "Done configuring directory server (dirsrv)." until it finally failed. We were unable to find a root cause, but after we upgrade to RHEL 7.7, it works.

Another issue we encountered was related to IPv6 which we normally turn off in CDH deployment. We needed to enable this temporarily while installing ipa-server.


Create users and groups

After ipa-server was configured successfully, it was time to test user and group creation. We opened the ipa UI and tried to login using user admin.

We got 'Unknown Error'. This error might be very specific to us since it was caused by our http port was configured to a non standard port (7280). This cause a problem during the login procedure. After we fix this issue by reverting to port 80, the user and group creation is smooth sailing.


Configure DNS Entries

We chose to use external DNS server for our installation. Therefore, we needed to configure the kerberos dns entry manually on our dns server.

This was quite a trial and error for us. We find the following the following resource is very helpful.

https://web.mit.edu/kerberos/krb5-1.15/doc/admin/realm_config.html#mapping-hostnames-onto-kerberos-realms

We needed to configure SRV and TXT record for later so that ipa-client is able to find the domain and the ipa-server.


Install ipa-client on CDH nodes

Again, this was very straight forward as executing 'yum install ipa-client'


Configure ipa-client using ipa-client-install 

When we tried this step, we had not configured dns entries properly. We retried this step a few times (install, uninstall, repeat) until it finally was able to join successfuly.

Mainly, the problem we were having related to DNS.


Test (kinit, klist, kdestroy, id, etc)

Finally, after all the hardship, our test went quite smoothly. id, kinit, klist, kdestroy, generate keytab, kinit using keytab, all worked perfectly.


Summary

ipa-server provides a very rich functionality more than a typical OpenLDAP + MIT Kerberos manual installation.  It integrates well with CM and CDH. A few take away that we learn during the setup are:

  • Use a dedicated host for ipa server if possible

  • Enable IPv6 if possible

  • Configure DNS properly

  • Configure NTP properly

  • Enable debug on ipa default.conf if needed

  • Use Verbose mode when executing ipa-server-install or ipa-client-install

Thanks to @freeipa team to provides a very good solution. I wondered why there were not much hype/news about freeipa.


The next article will be about how we configured ipa-replica and test the failover between ipa-server.

40 views

© 2019 

PT. Expecomputindo. 

​"No animals were harmed in the making of this site"

Follow us

  • Facebook Social Icon
  • Twitter Social Icon