https://community.cloudera.com/t5/Archives-of-Support-Questions/Commands-to-add-HTTP-principals-to-spnego-keytab-file-for-AD/m-p/133404#M51826 <A rel="user" href="https://community.cloudera.com/users/14265/parepallykiran.html" nodeid="14265">@Saikiran Parepally</A><P>I think Ambari uses APIs for creating principals. Instead of going for a complex way, Easiest way is - you can use 'ktpass' to extract principals in keytab.</P><P>Please see - <A href="https://technet.microsoft.com/en-us/library/cc753771(v=ws.11).aspx" target="_blank">https://technet.microsoft.com/en-us/library/cc753771(v=ws.11).aspx</A></P><P>Hope this information helps!</P> Wed, 18 Jan 2017 18:02:18 GMT KuldeepK 2017-01-18T18:02:18Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Commands-to-add-HTTP-principals-to-spnego-keytab-file-for-AD/m-p/133403#M51825 <P>I am trying to enable HA for Ranger Admin and for that need to add all of the Ranger Admin Hosts HTTP principals and LoadBalancer principal to the same spnego keytab file. Need instructions on creating AD user (hint to script which Ambari uses to create new principals and keytab files) and add principals into the single keytab file. </P> Wed, 18 Jan 2017 09:58:04 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Commands-to-add-HTTP-principals-to-spnego-keytab-file-for-AD/m-p/133403#M51825 sparepally 2017-01-18T09:58:04Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Commands-to-add-HTTP-principals-to-spnego-keytab-file-for-AD/m-p/133404#M51826 <A rel="user" href="https://community.cloudera.com/users/14265/parepallykiran.html" nodeid="14265">@Saikiran Parepally</A><P>I think Ambari uses APIs for creating principals. Instead of going for a complex way, Easiest way is - you can use 'ktpass' to extract principals in keytab.</P><P>Please see - <A href="https://technet.microsoft.com/en-us/library/cc753771(v=ws.11).aspx" target="_blank">https://technet.microsoft.com/en-us/library/cc753771(v=ws.11).aspx</A></P><P>Hope this information helps!</P> Wed, 18 Jan 2017 18:02:18 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Commands-to-add-HTTP-principals-to-spnego-keytab-file-for-AD/m-p/133404#M51826 KuldeepK 2017-01-18T18:02:18Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Commands-to-add-HTTP-principals-to-spnego-keytab-file-for-AD/m-p/133405#M51827 <P>Hello <A rel="user" href="https://community.cloudera.com/users/14265/parepallykiran.html" nodeid="14265">@Saikiran Parepally</A>,</P><P>To add to <A rel="user" href="https://community.cloudera.com/users/504/kkulkarni.html" nodeid="504">@Kuldeep Kulkarni</A>'s answer, you can find the instruction to create AD user and keytab, here :</P><P><A href="https://community.hortonworks.com/content/supportkb/48973/how-to-setup-kerberos-keytab-for-hadoop-services-o.html">https://community.hortonworks.com/content/supportkb/48973/how-to-setup-kerberos-keytab-for-hadoop-services-o.html</A></P><P>Once you have generated keytabs for all the required principals, you can copy them to Ranger Admin node(s) and use "ktutil" command from Kerberos package to merge all keytabs into one. Like this:</P><PRE># ktutil ktutil: rkt /tmp/service1.keytab ktutil: rkt /tmp/service2.keytab ktutil: rkt /tmp/service3.keytab ktutil: wkt /tmp/combined.keytab ktutil: exit</PRE><P>Hope this helps !</P> Wed, 18 Jan 2017 18:59:40 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Commands-to-add-HTTP-principals-to-spnego-keytab-file-for-AD/m-p/133405#M51827 VR46 2017-01-18T18:59:40Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Commands-to-add-HTTP-principals-to-spnego-keytab-file-for-AD/m-p/133406#M51828 <P>I believe that a combination of both <A rel="user" href="https://community.cloudera.com/users/504/kkulkarni.html" nodeid="504">@Kuldeep Kulkarni</A> and <A rel="user" href="https://community.cloudera.com/users/740/vrathor.html" nodeid="740">@Vipin Rathor</A> answers are correct. Combining them and assuming the SPNEGO principals (HTTP/&lt;host&gt;) for the Ranger hosts already exist in the Active Directory:</P><OL><LI>Create the account in the Active Directory for the load balancer host (HTTP/&lt;loadbalancer FQDN&gt;@&lt;realm&gt;)</LI><LI>Export the keytab file for the created account</LI><LI>Combine the relevant keytab file into a single file using ktutil</LI></OL><P><STRONG>Do not attempt to export new keytab file for the previously existing SPNEGO principals</STRONG> as this will change the password on the account and invalidate the existing (relevant) keytab files in the cluster. You should find the needed keytab file from the appropriate hosts at /etc/security/keytabs/spnego.service.keytab. </P><P>Creating the new account in the Active Directory can be done by logging into the Active Directory and using the new user wizard - right mouse click on the LDAP container (aka the "OU") and select "new" and then select "user" from the menus. You can also create a new user in the Active Directory by using LDAP commands from the OpenLDAP packages (ldapadd), but you will need to create a unicode password and an LDIF file - I believe there will be a article on HCC about this in the rather near future courtesy of <A rel="user" href="https://community.cloudera.com/users/509/dvillarreal.html" nodeid="509">@dvillarreal</A> with a little help from me. </P><P>Creating the keytab file can be done using the ktpass utility on the Active Directory host; or, since you might know the password for the account, you can use ktutil to build one on a Linux host. </P> Wed, 18 Jan 2017 23:28:46 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Commands-to-add-HTTP-principals-to-spnego-keytab-file-for-AD/m-p/133406#M51828 rlevas 2017-01-18T23:28:46Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Commands-to-add-HTTP-principals-to-spnego-keytab-file-for-AD/m-p/133407#M51829 <P><A rel="user" href="https://community.cloudera.com/users/322/rlevas.html" nodeid="322">@Robert Levas</A> <A rel="user" href="https://community.cloudera.com/users/504/kkulkarni.html" nodeid="504">@Kuldeep Kulkarni</A> <A rel="user" href="https://community.cloudera.com/users/740/vrathor.html" nodeid="740">@Vipin Rathor</A> ... Thanks a lot for your responses. Initially our AD team was hesitant to create principals for LoadBalancer and thats the reason why I was looking at Ambari scripts to create that. Now they are convinced and created principal for loadbalancer in AD. I followed ktutil steps mentioned by <A rel="user" href="https://community.cloudera.com/users/740/vrathor.html" nodeid="740">@Vipin Rathor</A> to merge keytabs as suggested by <A rel="user" href="https://community.cloudera.com/users/322/rlevas.html" nodeid="322">@Robert Levas</A>. This has solved the issue and I am successfully able to sync policies. </P> Thu, 19 Jan 2017 00:52:31 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Commands-to-add-HTTP-principals-to-spnego-keytab-file-for-AD/m-p/133407#M51829 sparepally 2017-01-19T00:52:31Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Commands-to-add-HTTP-principals-to-spnego-keytab-file-for-AD/m-p/133408#M51830 <A rel="user" href="https://community.cloudera.com/users/14265/parepallykiran.html" nodeid="14265">@Saikiran Parepally</A><P>Article created for future reference. <A href="https://community.hortonworks.com/content/kbentry/82544/how-to-create-ad-principal-accounts-using-openldap.html">https://community.hortonworks.com/content/kbentry/82544/how-to-create-ad-principal-accounts-using-openldap.html</A></P> Fri, 10 Feb 2017 06:17:50 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Commands-to-add-HTTP-principals-to-spnego-keytab-file-for-AD/m-p/133408#M51830 dvillarreal 2017-02-10T06:17:50Z