https://community.cloudera.com/t5/Archives-of-Support-Questions/Custom-Kerberos-Keytab-Retrieval-Script-is-not-working-when/m-p/67888#M74871 <P>Hi, I have similiar requirement where&nbsp;<SPAN>we cannot get AD admin account due to security polic</SPAN>y. We are using CDH 5.11.2 Express version. &nbsp;&nbsp; Could you please help me providing steps for this approach.</P><P>&nbsp;</P><P>Thanks in Advance.</P><P>&nbsp;</P><P>Reards,</P><P>Dinu</P> Tue, 05 Jun 2018 07:01:26 GMT Dinu1 2018-06-05T07:01:26Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Custom-Kerberos-Keytab-Retrieval-Script-is-not-working-when/m-p/64865#M74868 <P><SPAN>Hello Community,</SPAN></P><P>&nbsp;</P><P><SPAN>&nbsp; &nbsp; &nbsp;We are using CDH 5.13.1 and CM have the same version.&nbsp;Hello&nbsp;Since we cannot get AD admin account due to security policy, We create</SPAN>&nbsp;all CDH principals manually on<SPAN>&nbsp;</SPAN>AD<SPAN>&nbsp;</SPAN>and provide<SPAN>&nbsp;</SPAN>keytab<SPAN>&nbsp;</SPAN>for CM to import. We reference <A href="https://www.cloudera.com/documentation/enterprise/latest/topics/sg_keytab_retrieval_script.html" target="_blank">https://www.cloudera.com/documentation/enterprise/latest/topics/sg_keytab_retrieval_script.html</A> to make the "keytab<SPAN>&nbsp;</SPAN>retrieve script" and set the property onto CM. And I did set 777 permission by the way.&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="set_keytab_retrieve_script.png" style="width: 400px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/3896iAAEF6117F27A6205/image-size/medium?v=v2&amp;px=400" role="button" title="set_keytab_retrieve_script.png" alt="set_keytab_retrieve_script.png" /></span></P><P>But here is the problem: When I enable kerberos&nbsp;with the wizard, it always using "/usr/share/cmf/bin/import_credentials.sh" then error.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="error_msg.png" style="width: 400px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/3897i7BA0ADEFD4998D91/image-size/medium?v=v2&amp;px=400" role="button" title="error_msg.png" alt="error_msg.png" /></span>&nbsp;</P><P>In my cognition, when I set "<SPAN>Custom Kerberos Keytab Retrieval Script</SPAN>" property, cloudera manager will get pricipals and keytabs from retrieval scripts. Therefore, the user name and password would not take any effect in this case. Why and How should I do?&nbsp;</P><P>&nbsp;</P><P>Thanks,</P><P>Velen</P> Fri, 23 Feb 2018 08:43:57 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Custom-Kerberos-Keytab-Retrieval-Script-is-not-working-when/m-p/64865#M74868 VelenWu 2018-02-23T08:43:57Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Custom-Kerberos-Keytab-Retrieval-Script-is-not-working-when/m-p/64994#M74869 <P>Hi,</P><P>I have implemented the same thing in CDH 5.11. The procedure works fine (at least on this version).</P><P>There is no need to give 777 permissions. Security wised the keytabs should have 400 permissions and the owner should be cloudera-scm user.</P><P>I assume that your keytab files are located under "/keytabs/" or whatever directory you have configured in your script.</P><P>You should be carefull on keytab filename. Example of keytabs:</P><P>hive_slavenode1.example.com@EXAMPLE.COM.keytab</P><P><SPAN>HTTP_slavenode1.example.com@EXAMPLE.COM.keytab</SPAN></P><P><SPAN>...</SPAN></P><P>&nbsp;</P><P><SPAN>PS: The script should have execute permissions and the script and all keytabs should be on the host you are running Cloudera Manager.</SPAN></P> Wed, 28 Feb 2018 09:35:23 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Custom-Kerberos-Keytab-Retrieval-Script-is-not-working-when/m-p/64994#M74869 GeKas 2018-02-28T09:35:23Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Custom-Kerberos-Keytab-Retrieval-Script-is-not-working-when/m-p/65055#M74870 <P>&nbsp; &nbsp; &nbsp;Found the answer. AD server did not enable SSL so CM can't connect AD with ldaps. When I install "Active Directory Certificate Service" in Windows Server, it all work now!</P><P>&nbsp;</P><P>Velen</P> Fri, 02 Mar 2018 03:13:15 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Custom-Kerberos-Keytab-Retrieval-Script-is-not-working-when/m-p/65055#M74870 VelenWu 2018-03-02T03:13:15Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Custom-Kerberos-Keytab-Retrieval-Script-is-not-working-when/m-p/67888#M74871 <P>Hi, I have similiar requirement where&nbsp;<SPAN>we cannot get AD admin account due to security polic</SPAN>y. We are using CDH 5.11.2 Express version. &nbsp;&nbsp; Could you please help me providing steps for this approach.</P><P>&nbsp;</P><P>Thanks in Advance.</P><P>&nbsp;</P><P>Reards,</P><P>Dinu</P> Tue, 05 Jun 2018 07:01:26 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Custom-Kerberos-Keytab-Retrieval-Script-is-not-working-when/m-p/67888#M74871 Dinu1 2018-06-05T07:01:26Z