Github user radarwave commented on a diff in the pull request:
https://github.com/apache/incubator-hawq-docs/pull/131#discussion_r143965363
--- Diff: markdown/clientaccess/kerberos.html.md.erb ---
@@ -697,3 +753,172 @@ Follow these steps to install and configure a
Kerberos KDC server on a Red Hat E
root@kdc-server$ /sbin/chkconfig krb5kdc on
root@kdc-server$ /sbin/chkconfig kadmin on
```
+
+### <a id="task_setup_kdc_ad"></a>Install and Configure KDC Server on
Active Directory
+
+Follow these steps to install and configure a Kerberos KDC server on a
Windows host with Active Directory.
+
+1. Log into the Windows server as a user with administrator permissions.
+
+2. From the **Start** menu, select **Control Panel** \> **Adminisrative
Tools** \> **Active Directory Users and Computers**.
+
+ Note: If there is no entry for **Active Directory Users and
Computers**, Active Directory service may not have been correctly installed.
+
+3. Go to the DATALOCAL entry in the directory tree of the **Active
Directory Users and Computers** window and right click on **Managed Service
Accounts**.
+
+4. Select **New** \> **User**.
+
+5. A **New Object - User** popup window will appear. In the **First
name:** window, enter `gpadmin` and also enter `gpadnub` as the **User logon
name**.
+
+6. Click **Next**. Create and confirm a password. Enable the checkbox for
**Password never expires**. Click **Next**, then **Finish**.
+
+7. Log into Windows as Administrator. Depending on your Windows
environment, either open a Windows power shell or click **Start** and open a
command prompt session and select **Run as Administrator** \> **Yes** to open
an administrator window.
+
+8. Add a Service Principal Name (SPN) for the account just created:
+
+ ``` shell
+ PS C:\Users\Administrator> setspn -A postgres/hdp3.example.com gpadmin
+ ```
+
+9. Generate a keytab file by using the `ktpass` command. This command
takes the form:
+
+ ``` shell
+ ktpass -princ postgres/<FQDN of HDB master> -pass <password> -mapuser
<Managed Service Account name> -crypto ALL -ptype KRB5_NT_PRINCIPAL -out
<keytab filename> -kvno 0
+ ```
+ For example, to create `hdp3.keytab` for gpadmin on
[email protected]:
+
+ ``` shell
+ PS C:\Users\Administrator> ktpass -princ
postgres/[email protected] -pass abcd1234 -mapuser gpadmin -crypto
ALL -ptype KRB5_NT_PRINCIPAL -out hdp3.keytab -kvno 0
+
+ Targeting domain controller: WIN-TIH2EBEERUK.DATA.LOCAL
+
+ Using legacy password setting method
+ Key created.
+ Key created.
+ Key created.
+ Key created.
+ Key created.
+ Output keytab to hdp3.keytab:
+ Keytab version: 0x502
+ keysize 61 postgres/[email protected] ptype 1
(KRB5_NT_PRINCIPAL) vno 0 etype 0x1 (DES-CBC-CRC) keylength 8
(0xa8d0405789a8469e)
+keysize 61 postgres/[email protected] ptype 1
(KRB5_NT_PRINCIPAL) vno 0 etype 0x3 (DES-CBC-MD5) keylength 8
(0xa8d0405789a8469e)
+keysize 69 postgres/[email protected] ptype 1
(KRB5_NT_PRINCIPAL) vno 0 etype 0x17 (RC4-HMAC) keylength 16
(0x161cff084477fe596a5db81874498a24)
+keysize 85 postgres/[email protected] ptype 1
(KRB5_NT_PRINCIPAL) vno 0 etype 0x12 (AES256-SHA1) keylength 32
(0x20648bd82de77bf66a1dcac4b3050bc308f2cc38f4a13e814ad5bd30e67ef388)
+keysize 69 postgres/[email protected] ptype 1
(KRB5_NT_PRINCIPAL) vno 0 etype 0x11 (AES128-SHA1) keylength 16
(0xa026bb25aa495af5334cd4f185d33071):
+ ```
+
+10. Transfer the generated keytab file to the HDB master. For example:
+
+ ``` shell
+ root@kdc-server$ scp /etc/ad_keytab/keytabs/hawq.service.keytab
<master>:/etc/ad_keytab/keytabs/hawq.service.keytab
+ ```
+Change the ownership of the keytab file to `gpadmin:gpadmin` and the mode
to `600`.
+
+
+ ``` shell
+ root@kdc-server$ ssh <master> chown gpadmin:gpadmin
/etc/ad_keytab/keytabs/hawq.service.keytab
+ root@kdc-server$ ssh <master> chmod 600
/etc/ad_keytab/keytabs/hawq.service.keytab
+ ```
+
+***Can you use automated kerberos setup on Ambari?**
+
+11. Log into HAWQ through the administrator window and install the
Kerberos packages on the HAWQ master.
+
+12. Change the ticket renewal interval.
+
+13. Edit the `.etc/krb5.conf` configuration file to define the Kerberos
realm for the cluster.
+
+ **Can you set up with PS C:\Users\Administrator> ? What if you use
Ambari? This page has commands for Powershell:
+
https://hortonworks.com/blog/enabling-kerberos-hdp-active-directory-integration/**
--- End diff --
We can remove reference of this link as it's kind of out of date and do not
have too much valuable for our settings.
---
