02-23-2018 12:43 AM
We are using CDH 5.13.1 and CM have the same version. Hello Since we cannot get AD admin account due to security policy, We create all CDH principals manually on AD and provide keytab for CM to import. We reference https://www.cloudera.com/documentation/enterprise/latest/topics/sg_keytab_retrieval_script.html to make the "keytab retrieve script" and set the property onto CM. And I did set 777 permission by the way.
But here is the problem: When I enable kerberos with the wizard, it always using "/usr/share/cmf/bin/import_credentials.sh" then error.
In my cognition, when I set "Custom Kerberos Keytab Retrieval Script" property, cloudera manager will get pricipals and keytabs from retrieval scripts. Therefore, the user name and password would not take any effect in this case. Why and How should I do?
02-28-2018 01:35 AM
I have implemented the same thing in CDH 5.11. The procedure works fine (at least on this version).
There is no need to give 777 permissions. Security wised the keytabs should have 400 permissions and the owner should be cloudera-scm user.
I assume that your keytab files are located under "/keytabs/" or whatever directory you have configured in your script.
You should be carefull on keytab filename. Example of keytabs:
PS: The script should have execute permissions and the script and all keytabs should be on the host you are running Cloudera Manager.
03-01-2018 07:13 PM
Found the answer. AD server did not enable SSL so CM can't connect AD with ldaps. When I install "Active Directory Certificate Service" in Windows Server, it all work now!
06-05-2018 12:01 AM
Hi, I have similiar requirement where we cannot get AD admin account due to security policy. We are using CDH 5.11.2 Express version. Could you please help me providing steps for this approach.
Thanks in Advance.