question Re: Script used to generate AD accounts during kerberos setup in Archives of Support Questions (Read Only)

Script used to generate AD accounts during kerberos setup

coolgags — Fri, 16 Sep 2022 13:43:19 GMT

Dear Team,

Can you be so kind to help me with the location of script which creates AD accounts during automated kerberos setup via ambari. (AD team wants to review before giving us write access)

I looked at /var/lib/ambari-server/resources/scripts/kerberos_setup.sh but could not understand where we create and delete AD users.

Thanks and Best Regards,

Gagan

Re: Script used to generate AD accounts during kerberos setup

rlevas — Tue, 18 Sep 2018 20:23:00 GMT

@Gagandeep Singh Chawla

I do not believe that an AD-specific script is provided with Ambari; however some of the Hortonworks support or professional services folks may have something.

The provided script may be out of date and is geared towards the MIT KDC. It will not work with an Active Directory. Active Directory would prefer that all account creation and keytab export routines be executed on the Windows server, itself. However, since AD has an LDAP interface that can be used to add new objects to the database, Ambari is able to create principals and set password. Thus giving it the ability to automate creating principals and keytab files remotely - the keytab files are actually generated by Ambari and not exported from the AD.

If you are looking for steps on how Ambari does this, take a look at the HCC article How to create AD principal accounts using OpenLdap utilities and adding it to a keytab. This is not exactly what Ambari does, but it is really close. Using details from that article, I can imagine that a script can be built to read an Ambari-provided CSV file and create the needed principals and keytab files.

Re: Script used to generate AD accounts during kerberos setup

coolgags — Wed, 19 Sep 2018 15:15:42 GMT

Thanks for the detailed answer, it is very helpful! BR//Gagan