DataStax 6.7 Security Guide (EOSL)

Configuring Kerberos connection information for clients

Install Kerberos clients and configure the Kerberos connection details.

Install Kerberos clients and configure the Kerberos realm and connection details.

Prerequisites

From your organizations Kerberos administrator, get the krb5.conf configured for domain that contains the DataStax cluster.

Procedure

Install Kerberos client software on each node using one of the following methods:
- Tarball-based systems:
```
wget http://web.mit.edu/Kerberos/dist/krb5/1.17/krb5-1.17.tar.gz
```
- RHEL-based systems:
```
sudo yum install krb5-workstation krb5-libs krb5-pkinit-openssl
```
- Debian-based systems:
```
sudo apt-get install krb5-user krb5-config krb5-pkinit
```
(Optional) In the krb5.conf, verify that the libdefaults settings have DNS and realm lookup disabled.
```
[libdefaults]
dns_lookup_kdc = false
dns_lookup_realm = false
```
Tip: DataStax recommends not using DNS lookup for KDC and REALM entries. Relying on DNS may negative impact performance and functionality.
Distribute the configuration file to each node using one of the following methods:
- Default location - Put the krb5.conf file in the /etc directory.
- Custom location - When the krb5.conf file is in a location other than default, provide the location using environment variable KRB5_CONFIG.
```
export KRB5_CONFIG="path_to_file"
```
  Tip: Refer to MIT Kerberos documentation for full list of default paths.