Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Cloubdreak on Azure Kerberos configuration hostnames too long

Labels:
avatar
author-rank james_bashforth
Explorer

Created ‎08-03-2018 03:02 AM

Hi,

I am setting up a Kerberized cluster with Cloudbreak 2.7 on Azure. We have created a cluster install using simple options and it all works well, however, once we come to installing a cluster using Kerberos we are running into an error when creating the principals.

Failed to create the account for HTTP/hostname.guid.px.internal.cloudapp.net@EXAMPLE.COM

it seems that the principal is too long to fit into the 64 char limit that we have in Active Directory due to the hostname being too long.

My questions are

Is there a way around this issue?

Has anyone else managed to setup kerberos on Azure using Active Directory, if so how?

Thanks for any help that can be provided.

782 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎08-03-2018 03:19 AM

There is a workaround for this issue. However the results may not be desired since the CN will be a set of seemingly random characters.

The CN is set using the value calculated using the Velocity template specified in the kerberos-env/ad_create_attributes_template configuration. The default value of the template is 

{
  "objectClass": ["top", "person", "organizationalPerson", "user"],
  "cn": "$principal_name",
  #if( $is_service )
  "servicePrincipalName": "$principal_name",
  #end
  "userPrincipalName": "$normalized_principal",
  "unicodePwd": "$password",
  "accountExpires": "0",
  "userAccountControl": "66048"
}

As you can see, the CN value is set to the identity's principal name. This can be changed, but we need to make sure the value will be unique. There are several variables available to use in this template. See https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.1.5/bk_ambari-security/content/customizing_the_....

You can use one of the hashes to limit the size of the value and provide a reasonable probability of uniqueness:

  • principal_digest (SHA1) - 40 characters
  • principal_digest_256 (SHA256) - 64 characters
  • principal_digest_512 (SHA512) - 128 characters

Since the maximum length for the CN attribute in an Active Directory is 64 characters, I would suggest using principal_digest_256.

For example, 

{
  "objectClass": ["top", "person", "organizationalPerson", "user"],
  "cn": "$principal_digest_256",
  #if( $is_service )
  "servicePrincipalName": "$principal_name",
  #end
  "userPrincipalName": "$normalized_principal",
  "unicodePwd": "$password",
  "accountExpires": "0",
  "userAccountControl": "66048"
}

Notice the "cn" line was changed from "cn": "$principal_name" to "cn": "$principal_digest_256".

You can change this templet from the Enable Kerberos Wizard if you open the Advanced kerberos-env tab on the Configure Kerberos page and look for the Account Attribute Template property.

View solution in original post

683 Views
1 REPLY 1

avatar
author-rank rlevas
Guru

Created ‎08-03-2018 03:19 AM

There is a workaround for this issue. However the results may not be desired since the CN will be a set of seemingly random characters.

The CN is set using the value calculated using the Velocity template specified in the kerberos-env/ad_create_attributes_template configuration. The default value of the template is 

{
  "objectClass": ["top", "person", "organizationalPerson", "user"],
  "cn": "$principal_name",
  #if( $is_service )
  "servicePrincipalName": "$principal_name",
  #end
  "userPrincipalName": "$normalized_principal",
  "unicodePwd": "$password",
  "accountExpires": "0",
  "userAccountControl": "66048"
}

As you can see, the CN value is set to the identity's principal name. This can be changed, but we need to make sure the value will be unique. There are several variables available to use in this template. See https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.1.5/bk_ambari-security/content/customizing_the_....

You can use one of the hashes to limit the size of the value and provide a reasonable probability of uniqueness:

  • principal_digest (SHA1) - 40 characters
  • principal_digest_256 (SHA256) - 64 characters
  • principal_digest_512 (SHA512) - 128 characters

Since the maximum length for the CN attribute in an Active Directory is 64 characters, I would suggest using principal_digest_256.

For example, 

{
  "objectClass": ["top", "person", "organizationalPerson", "user"],
  "cn": "$principal_digest_256",
  #if( $is_service )
  "servicePrincipalName": "$principal_name",
  #end
  "userPrincipalName": "$normalized_principal",
  "unicodePwd": "$password",
  "accountExpires": "0",
  "userAccountControl": "66048"
}

Notice the "cn" line was changed from "cn": "$principal_name" to "cn": "$principal_digest_256".

You can change this templet from the Enable Kerberos Wizard if you open the Advanced kerberos-env tab on the Configure Kerberos page and look for the Account Attribute Template property.

684 Views
webinar banner
Announcements
Community Announcements
April 2024 Community Highlights
Community Announcements
January 2024 Community Highlights
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
View More Announcements
meetups banner