Reply
Highlighted
New Contributor
Posts: 3
Registered: ‎01-25-2018
Accepted Solution

Custom Kerberos Keytab Retrieval Script is not working when enable kerberos

Hello Community,

 

     We are using CDH 5.13.1 and CM have the same version. Hello Since we cannot get AD admin account due to security policy, We create all CDH principals manually on AD and provide keytab for CM to import. We reference https://www.cloudera.com/documentation/enterprise/latest/topics/sg_keytab_retrieval_script.html to make the "keytab retrieve script" and set the property onto CM. And I did set 777 permission by the way. set_keytab_retrieve_script.png

But here is the problem: When I enable kerberos with the wizard, it always using "/usr/share/cmf/bin/import_credentials.sh" then error.

error_msg.png 

In my cognition, when I set "Custom Kerberos Keytab Retrieval Script" property, cloudera manager will get pricipals and keytabs from retrieval scripts. Therefore, the user name and password would not take any effect in this case. Why and How should I do? 

 

Thanks,

Velen

Expert Contributor
Posts: 103
Registered: ‎01-08-2018

Re: Custom Kerberos Keytab Retrieval Script is not working when enable kerberos

Hi,

I have implemented the same thing in CDH 5.11. The procedure works fine (at least on this version).

There is no need to give 777 permissions. Security wised the keytabs should have 400 permissions and the owner should be cloudera-scm user.

I assume that your keytab files are located under "/keytabs/" or whatever directory you have configured in your script.

You should be carefull on keytab filename. Example of keytabs:

hive_slavenode1.example.com@EXAMPLE.COM.keytab

HTTP_slavenode1.example.com@EXAMPLE.COM.keytab

...

 

PS: The script should have execute permissions and the script and all keytabs should be on the host you are running Cloudera Manager.

New Contributor
Posts: 3
Registered: ‎01-25-2018

Re: Custom Kerberos Keytab Retrieval Script is not working when enable kerberos

     Found the answer. AD server did not enable SSL so CM can't connect AD with ldaps. When I install "Active Directory Certificate Service" in Windows Server, it all work now!

 

Velen

New Contributor
Posts: 1
Registered: ‎06-04-2018

Re: Custom Kerberos Keytab Retrieval Script is not working when enable kerberos

Hi, I have similiar requirement where we cannot get AD admin account due to security policy. We are using CDH 5.11.2 Express version.    Could you please help me providing steps for this approach.

 

Thanks in Advance.

 

Reards,

Dinu

Announcements