question Re: Ambari managing krb5.conf in Archives of Support Questions (Read Only)

Ambari managing krb5.conf

russ_stevenson — Fri, 16 Sep 2022 10:30:09 GMT

Can anyone explain why when Ambari is managing a clients krb5.conf file the default_tgs_enctypes value in the krb5.conf file is commented out? The values reflect the Ambari values, they are just commented out.

The TGT is showing aes-256, I'm just trying to pull together the amabri configure in context to the krb5.conf.

sh-4.1$ klist -e Ticket cache: FILE:/tmp/krb5cc_49003
Default principal: hdpuser3@FOO.COM Valid starting Expires Service principal
07/15/16 12:10:15 07/15/16 22:07:30 krbtgt/FOO.COM@FOO.COM renew until 07/22/16
12:10:15, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

Thanks,

russ

It is configured with the kerberos configuration, see below

"ad_create_attributes_template" : "\n{\n  \"objectClass\":
[\"top\", \"person\", \"organizationalPerson\",
\"user\"],\n  \"cn\":
\"$principal_name\",\n  #if( $is_service
)\n  \"servicePrincipalName\":
\"$principal_name\",\n 
#end\n 
\"userPrincipalName\": \"$normalized_principal\",\n  \"unicodePwd\": \"$password\",\n  \"accountExpires\":
\"0\",\n 
\"userAccountControl\": \"66048\"\n}",
 
"admin_server_host" : "rs-2008r2-dc.foo.com",
 
"case_insensitive_username_rules" : "false",
 
"container_dn" : "ou=rshdp1",
 
"encryption_types" : "aes des3-cbc-sha1 rc4
des-cbc-md5",
 
"executable_search_paths" : "/usr/bin, /usr/kerberos/bin,
/usr/sbin, /usr/lib/mit/bin, /usr/lib/mit/sbin",
 
"install_packages" : "true",
 
"kdc_create_attributes" : "",
 
"kdc_host" : "rs-2008r2-dc.foo.com",
 
"kdc_type" : "active-directory",
snip from the krb5.conf:
[libdefaults] 
renew_lifetime = 7d 
forwardable = true 
default_realm = FOO.COM 
ticket_lifetime = 24h dns_lookup_realm = false 
dns_lookup_kdc = false 
#default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5
#default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5

Re: Ambari managing krb5.conf

KuldeepK — Mon, 19 Aug 2019 09:22:37 GMT

@russ stevenson

If you don't Ambari to manage your krb5.conf then as per below screenshot, you can turn off "Manage Kerberos client krb5.conf" option.

Regarding commented entries - I'm not too sure why it is commented, if I change encryption type via Ambari then also it will be commented. Adding few Ambari experts in this thread.

@vpoornalingam / @ctam

Note - I found this bug though - https://issues.apache.org/jira/browse/AMBARI-14001

Re: Ambari managing krb5.conf

rlevas — Wed, 20 Jul 2016 07:20:28 GMT

@russ stevenson

The reason they are commented out is based on recommendations from MIT - http://web.mit.edu/kerberos/krb5-1.13/doc/admin/conf_files/krb5_conf.html (see default_tgs_enctypes" and "default_tkt_enctypes")

Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded.

We left them in the krb5.conf file, commented out, so you can see what they would have been set to. You can change this by editing the krb5-conf/content property, found under Advanced krb5-conf in the Kerberos service configs as "krb5-conf template".

Re: Ambari managing krb5.conf

russ_stevenson — Wed, 20 Jul 2016 23:50:06 GMT

@Robert Leva

@Kuldeep Kulkarni

Thanks for the response, the combination of the MIT documentation recommendation and the Jira, clarify this observation.

Cheers!