Reply
New Contributor
Posts: 2
Registered: ‎04-26-2016

SPNEGO service on an existing node

[ Edited ]

Hi

 

Be interested to see if anyone else has seen a similar issue to ours... and what they did to get round it...

 

Although this may be caused by a complete lack of understanding on my part!

 

We need to add a kerberos based application to one of our Cloudera edge nodes (livy in this case)

 

This application requires SPNEGO, and hence an HTTP service principal needs to be used.

 

The Cloudera Manager kerberization process looks to create one for all the nodes in the cluster.

 

How do I get a keytab for this SPN so I can kinit against it? 

 

We're using Active Directory as the KDC.

 

Thanks

Simon

Posts: 642
Topics: 3
Kudos: 105
Solutions: 67
Registered: ‎08-16-2016

Re: SPNEGO service on an existing node

When CM creates a principal it sets the password and creates the keytab file. This can be found in the running process directory for the process, /var/run/cloudera-scm-agent/process.

Why do you want to auth as this process's user?
New Contributor
Posts: 2
Registered: ‎04-26-2016

Re: SPNEGO service on an existing node

It's another piece of software - livy in this case, that is kinit-ing as the service principal.

 

In this case it's the HTTP SPN for SPNego that's being used; it looks like the CM kerberization wizard puts an HTTP SPN in AD for each host, but then as passwords are not published for the user account that's been mapped, there's no way of accessing it.

 

I can't create a new SPN in AD, as one already exists for the service/host combination I need.

 

There are no services using the HTTP SPN currently, as the node I'm working on is a gateway, but I don't want to start changing passwords (and I believe (although not absolutely sure!) using ktpass to remap the user will create a new password?)

Announcements