https://community.cloudera.com/t5/Archives-of-Support-Questions/Is-there-any-way-to-skip-quot-create-principal-quot-and-quot/m-p/187291#M65027 <P>You can specify that you do not want Ambari to manage the underlying Kerberos infrastructure (MIT Kerberos library, kb5.conf, principals, and keytab files) using the API or Blueprints by setting the following configurations:</P><PRE>kerberos-env/kdc_type = "none" kerberos-env/manage_identities = false kerberos-env/install_packages = false krb5-conf/manage_krb5_conf = false</PRE><P>Technically, you can pick and choose which features you want Ambari to, or not to handle; but the above setting are what the UI sets when you choose the "manual" option.</P><P>See <A target="_blank" href="https://github.com/apache/ambari/blob/trunk/ambari-server/docs/security/kerberos/enabling_kerberos.md#the-rest-api">https://github.com/apache/ambari/blob/trunk/ambari-server/docs/security/kerberos/enabling_kerberos.md#the-rest-api</A> for more information on using the API to enable Kerberos.</P> Mon, 24 Jul 2017 16:16:43 GMT rlevas 2017-07-24T16:16:43Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Is-there-any-way-to-skip-quot-create-principal-quot-and-quot/m-p/187288#M65024 <P>Hi All,</P><P>We are trying to kerberize cluster using Centirfy with pre created AD Accounts and Keytabs . So far we are able kerberize with following approach.</P><UL> <LI>Generate computer account in AD and centrify using APIs. [We can access AD or Centrify only through APIs].</LI><LI>Do “adjoin” after creating computer accounts in AD and CENTRIFY.</LI></UL><UL> <LI>Create principals and keytabs for user and services in AD/Centrify</LI><LI>Place user and service keytabs on respective hosts in /etc/security/keytabs</LI><LI>From Ambari UI, Enable Security -&gt; <STRONG>Existing Active Directory</STRONG></LI></UL><P><STRONG>But in reaches to point till creation of principal and gets failed.</STRONG> So, Is there any procedure which can skip procedure of "create principal" and "create keytabs", as it is already created and placed at respective hosts.</P> Mon, 17 Jul 2017 17:45:25 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Is-there-any-way-to-skip-quot-create-principal-quot-and-quot/m-p/187288#M65024 ajitpsonawane 2017-07-17T17:45:25Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Is-there-any-way-to-skip-quot-create-principal-quot-and-quot/m-p/187289#M65025 <P><A rel="user" href="https://community.cloudera.com/users/23233/ajitpsonawane.html" nodeid="23233">@Ajit Sonawane</A></P><P>There are a few articles on HCC related to enabling Kerberos using Ambari when Centrify is involved. For example:</P><UL><LI><A target="_blank" href="https://community.hortonworks.com/questions/2939/hdp-23ambari-integration-with-ad-managed-by-centri.html">https://community.hortonworks.com/questions/2939/hdp-23ambari-integration-with-ad-managed-by-centri.html</A></LI><LI><A target="_blank" href="https://community.hortonworks.com/articles/5388/centrify-integration-with-hdp.html">https://community.hortonworks.com/articles/5388/centrify-integration-with-hdp.html</A></LI></UL><P>However if you wish to have Ambari skip creating keytab files and principals, you can use the Enable Kerberos Wizard and choose the "manual" option. This will allow Ambari to configure the services while allowing you to manually manage the underlying Kerberos infrastructure and identities (principals and keytab files). </P> Mon, 17 Jul 2017 22:13:53 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Is-there-any-way-to-skip-quot-create-principal-quot-and-quot/m-p/187289#M65025 rlevas 2017-07-17T22:13:53Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Is-there-any-way-to-skip-quot-create-principal-quot-and-quot/m-p/187290#M65026 <P>Thanks Robert for your quick reply.</P><P>Is there any REST API or Ambari Blueprint option which supports "Manual " way of kerberization.</P> Mon, 24 Jul 2017 00:48:39 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Is-there-any-way-to-skip-quot-create-principal-quot-and-quot/m-p/187290#M65026 ajitpsonawane 2017-07-24T00:48:39Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Is-there-any-way-to-skip-quot-create-principal-quot-and-quot/m-p/187291#M65027 <P>You can specify that you do not want Ambari to manage the underlying Kerberos infrastructure (MIT Kerberos library, kb5.conf, principals, and keytab files) using the API or Blueprints by setting the following configurations:</P><PRE>kerberos-env/kdc_type = "none" kerberos-env/manage_identities = false kerberos-env/install_packages = false krb5-conf/manage_krb5_conf = false</PRE><P>Technically, you can pick and choose which features you want Ambari to, or not to handle; but the above setting are what the UI sets when you choose the "manual" option.</P><P>See <A target="_blank" href="https://github.com/apache/ambari/blob/trunk/ambari-server/docs/security/kerberos/enabling_kerberos.md#the-rest-api">https://github.com/apache/ambari/blob/trunk/ambari-server/docs/security/kerberos/enabling_kerberos.md#the-rest-api</A> for more information on using the API to enable Kerberos.</P> Mon, 24 Jul 2017 16:16:43 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Is-there-any-way-to-skip-quot-create-principal-quot-and-quot/m-p/187291#M65027 rlevas 2017-07-24T16:16:43Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Is-there-any-way-to-skip-quot-create-principal-quot-and-quot/m-p/187292#M65028 <P>Thanks <A rel="user" href="https://community.cloudera.com/users/322/rlevas.html" nodeid="322">@Robert Levas</A>, problem solved with your solution.</P> Tue, 19 Sep 2017 14:45:31 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Is-there-any-way-to-skip-quot-create-principal-quot-and-quot/m-p/187292#M65028 ajitpsonawane 2017-09-19T14:45:31Z