question Re: Ambari Kerberos - Existing AD in Archives of Support Questions (Read Only)

Ambari Kerberos - Existing AD

avijeetd — Fri, 16 Sep 2022 10:39:57 GMT

Hi All,

I set up a kerberized cluster using AD, everything went fine. Next I wanted to set up Kerberos for ambari using steps below

http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_Ambari_Security_Guide/content/_optional_set_up_kerberos_for_ambari_server.html#header

The problem is I can't kadmin in my linux boxes

[root@securityLab01 ~]# kadmin

Authenticating as principal ambari-qa-securityLab/admin@XXXXXXIT.LOCAL with password. kadmin:

Client not found in Kerberos database while initializing kadmin interface

Which user can I use to use kadmin.

Thanks,

Avijeet

Re: Ambari Kerberos - Existing AD

VR46 — Mon, 19 Sep 2016 17:06:12 GMT

Hello @Avijeet Dash ,

If you are using AD as Kerberos KDC, then you should not use kadmin to create an ambari server principal. You need to login to AD, create a user account for Ambari server. Once that is done, you can generate a keytab for this user by using this command (on AD's command prompt):

ktpass /princ ambari-server@HWX.COM /pass <password> /mapuser ambari-server /pType KRB5_NT_PRINCIPAL /crypto ALL /out c:\temp\ambari.server.keytab

Here I've kept the name of AD user account name and Kerberos principal name same as 'ambari-server'.

Once the keytab is generated, copy it to the host running Ambari service. And follow from step #3 in the doc link that you have given in question.

Hope this helps,

Vipin

Re: Ambari Kerberos - Existing AD

rlevas — Mon, 19 Sep 2016 20:11:32 GMT

@Avijeet Dash

For versions before Ambari 2.4.0, @Vipin Rathor's answer is correct. For Ambari 2.4.0 (and later), Ambari will do this for you when Kerberos is enabled.

Re: Ambari Kerberos - Existing AD

avijeetd — Mon, 19 Sep 2016 20:38:21 GMT

Thanks @Robert Levas @Vipin Rathor

Can we use the Ambari Views / File views etc. If Hadoop cluster is kerberized but Amabri is not?

As HDP doesn't have HUE, I am having an issue to set up a UI based access to tables etc.

Re: Ambari Kerberos - Existing AD

rlevas — Mon, 19 Sep 2016 22:50:08 GMT

If the cluster is Kerberized, then some, if not all views, will require that Ambari's Kerberos identity is configured. This is so the views can authenticate to the relevant services.