I have previously used Apache Kerby in this blog as a KDC to illustrate some security-based test-cases for big data components such as Apache Hadoop, Hive, Storm, etc, by pointing to some code on github that shows how to launch a Kerby KDC using Apache maven. This is convenient as a KDC can be launched with the principals already created via a single maven command. However, it is not suitable if the KDC is to be used in a standalone setting.
In this post, we will show how to create a Kerby KDC distribution without writing any code.
1) Install and configure the Apache Kerby KDC
The first step is to download the Apache Kerby source code. Unzip the source and build the distribution via:
- mvn clean install -DskipTests
- cd kerby-dist
- mvn package -Pdist
- sh bin/kdcinit.sh conf keytabs
The Kerby principals are stored in a backend that is configured in "conf/backend.conf". By default this is a JSON file that is stored in "/tmp/kerby/jsonbackend". However, Kerby also supports other more robust backends, such as LDAP, Mavibot, Zookeeper, etc.
We can start the KDC via:
- sh bin/start-kdc.sh conf runtime
- sh bin/kadmin.sh conf/ -k keytabs/admin.keytab
- addprinc -pw password alice@EXAMPLE.COM
We can check that the KDC has started properly using the MIT kinit tool, if it is installed locally:
- export KRB5_CONFIG=/path.to.kdc.dist/conf/krb5.conf
- kinit alice (use "password" for the password when prompted)
- sh bin/kinit.sh -conf conf alice
- sh bin/klist.sh