Accessing Splice Machine from Windows on a Kerberized Cluster

This section shows you how to use either of these Kerberos implementations to access Splice Machine from a computer running Microsoft Windows:

Configuring Microsoft Active Directory Kerberos

To use Microsoft Active Directory Kerberos with Splice Machine, you need to do the following:

  1. Configure our ODBC driver to use Microsoft Active Directory Kerberos; you typically do this during driver installation.

  2. Verify that MIT Kerberos is not installed on the client Windows computer.

  3. Make sure that the MIT Kerberos Hadoop realm has been configured to trust the Active Directory realm so that users in the Active Directory realm can access services in the MIT Kerberos Hadoop realm.

Configuring MIT Kerberos

To use MIT Kerberos with the Splice Machine on Windows, you must download and install MIT Kerberos for Windows 4.0.1. Follow these steps:

  1. Download and Run the MIT Kerberos Installer
  2. Set up the Kerberos Configuration File
  3. Set up the Kerberos Credential Cache File
  4. Obtain a ticket for a Kerberos Principal

Step 1: Download and Run the MIT Kerberos Installer for Windows

You can find the installer here:    http://web.mit.edu/kerberos/dist/kfw/4.0/kfw-4.0.1-amd64.msi.

MIT’s documentation page for Kerberos is here: http://web.mit.edu/kerberos/.

Step 2: Set up the Kerberos Configuration file

There are two ways to do this, both of which are described in this section.

Set Up the Configuration in the Default Windows Directory

Follow these steps to set up your configuration file in the default directory:

  1. Obtain the krb5.conf configuration file from your Kerberos administrator.

  2. Rename that file to krb5.ini.

  3. Copy the krb5.ini file to the C:\ProgramData\MIT\Kerberos5 directory.

Set Up the Configuration in a Custom Location

Follow these steps to set up the configuration in a custom location:

  1. Obtain the /etc/krb5.conf configuration file from your Kerberos administrator.

  2. Place the krb5.conf file in an accessible directory and make note of the full path name.

  3. Click Start, then right-click Computer, and then click Properties.

  4. Click Advanced system settings.

  5. In the System Properties dialog, click the Advanced tab, and then click Environment Variables.

  6. In the Environment Variables dialog, under the System variables list, click New.

  7. In the New System Variable dialog, in the Variable Name field, type KRB5_CONFIG.

  8. In the Variable Value field, type the absolute path to the krb5.conf file from step 1.

  9. Click OK to save the new variable.

  10. Ensure the variable is listed in the System variables list.

  11. Click OK to close the Environment Variables dialog, and then click OK to close the System Properties dialog.

Step 3: Set Up the Kerberos Credential Cache File

Kerberos uses a credential cache to store and manage credentials. Follow these steps to set up the credentials cache file:

  1. Create the directory where you want to save the Kerberos credential cache file; for example, you can use C:\temp.

  2. Click Start, then right-click Computer, and then click Properties

  3. Click Advanced system settings.

  4. In the System Properties dialog, click the Advanced tab, and then click Environment Variables

  5. In the Environment Variables dialog, under the System variables list, click New

  6. In the New System Variable dialog, in the Variable Name field, type KRB5CCNAME
  7. In the Variable Value field, type the path to the folder you created in step 1, and then append the file name krb5cache. For example, C:\temp\krb5cache.

    krb5cache is a file (not a directory) that is managed by the Kerberos software which should not be created by users; if you receive a permission error when you first use Kerberos, ensure that krb5cache does not already exist as a file or directory.

  8. Click OK to save the new variable.

  9. Ensure the variable appears in the System variables list.

  10. Click OK to close the Environment Variables dialog, and then click OK to close the System Properties dialog.

  11. To ensure that Kerberos uses the new settings, restart your computer.

Step 4: Obtain a Ticket for a Kerberos Principal

A principal is a user or service that can authenticate to Kerberos. To authenticate to Kerberos, a principal must obtain a ticket in one of these ways:

Each of these options is described in this section.

Obtain a Ticket Using a Password

  1. Click the Start button, then click All Programs, and then click the Kerberos for Windows (64-bit) or the Kerberos for Windows (32-bit) program group.

  2. Click MIT Kerberos Ticket Manager.

  3. In the MIT Kerberos Ticket Manager, click Get Ticket.

  4. In the Get Ticket dialog, type your principal name and password, and then click OK.

    If the authentication succeeds, then your ticket information appears in the MIT Kerberos Ticket Manager.

Obtain a Ticket Using the Default Keytab File

  1. Click the Start button > All Programs > Accessories > Command Prompt

  2. In the Command Prompt prompt, type a command using the following syntax:

    kinit -k principal
    
    • principal is the Kerberos principal to use for authentication. For example:
      my/myserver.example.com@EXAMPLE.COM
      
    • If the cache location KRB5CCNAME is not set or not used, then use the -c option of the kinit command to specify the credential cache. The -c argment must appear last on the command line. For example:
       kinit -k mydir/fully.qualified.domain.name@your-realm.com -c C:\ProgramData\MIT\krbcache
      

Obtain a Ticket Using a Custom Keytab File

  1. Click the Start button > All Programs > Accessories > Command Prompt.
  2. In the Command Prompt, type a command using the following syntax:

     kinit -k -t *keytab_file* principal
    
    • keytab_file is the full path to the keytab file. For example:
      C:\mykeytabs\myserver.keytab
      
    • principal is the Kerberos principal to use for authentication. For example:
      mydir/myserver.example.com@EXAMPLE.COM
      
    • If the cache location KRB5CCNAME is not set or not used, then use the -c option of the kinit command to specify the credential cache. The -c argment must appear last on the command line. For example:

      kinit -k -t C:\mykeytabs\myserver.keytab mydir/fully.qualified.domain.name@your-realm.com -c C:\ProgramData\MIT\krbcache
      

For more information about configuring Kerberos, consult the MIT Kerberos documentation: http://web.mit.edu/kerberos/.