Cloubdreak on Azure Kerberos configuration hostnames too long

james_bashforth — Fri, 03 Aug 2018 10:02:08 GMT

Hi,

I am setting up a Kerberized cluster with Cloudbreak 2.7 on Azure. We have created a cluster install using simple options and it all works well, however, once we come to installing a cluster using Kerberos we are running into an error when creating the principals.

Failed to create the account for HTTP/hostname.guid.px.internal.cloudapp.net@EXAMPLE.COM

it seems that the principal is too long to fit into the 64 char limit that we have in Active Directory due to the hostname being too long.

My questions are

Is there a way around this issue?

Has anyone else managed to setup kerberos on Azure using Active Directory, if so how?

Thanks for any help that can be provided.

Re: Cloubdreak on Azure Kerberos configuration hostnames too long

rlevas — Fri, 03 Aug 2018 10:19:31 GMT

There is a workaround for this issue. However the results may not be desired since the CN will be a set of seemingly random characters.

The CN is set using the value calculated using the Velocity template specified in the kerberos-env/ad_create_attributes_template configuration. The default value of the template is

{
  "objectClass": ["top", "person", "organizationalPerson", "user"],
  "cn": "$principal_name",
  #if( $is_service )
  "servicePrincipalName": "$principal_name",
  #end
  "userPrincipalName": "$normalized_principal",
  "unicodePwd": "$password",
  "accountExpires": "0",
  "userAccountControl": "66048"
}

As you can see, the CN value is set to the identity's principal name. This can be changed, but we need to make sure the value will be unique. There are several variables available to use in this template. See https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.1.5/bk_ambari-security/content/customizing_the_attribute_template.html.

You can use one of the hashes to limit the size of the value and provide a reasonable probability of uniqueness:

principal_digest (SHA1) - 40 characters
principal_digest_256 (SHA256) - 64 characters
principal_digest_512 (SHA512) - 128 characters

Since the maximum length for the CN attribute in an Active Directory is 64 characters, I would suggest using principal_digest_256.

For example,

{
  "objectClass": ["top", "person", "organizationalPerson", "user"],
  "cn": "$principal_digest_256",
  #if( $is_service )
  "servicePrincipalName": "$principal_name",
  #end
  "userPrincipalName": "$normalized_principal",
  "unicodePwd": "$password",
  "accountExpires": "0",
  "userAccountControl": "66048"
}

Notice the "cn" line was changed from "cn": "$principal_name" to "cn": "$principal_digest_256".

You can change this templet from the Enable Kerberos Wizard if you open the Advanced kerberos-env tab on the Configure Kerberos page and look for the Account Attribute Template property.

question Cloubdreak on Azure Kerberos configuration hostnames too long in Support Questions

Cloubdreak on Azure Kerberos configuration hostnames too long

Re: Cloubdreak on Azure Kerberos configuration hostnames too long