Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.

Create Kerberos Principals for Each User in home

avatar

Hi,

Enabled kerberos as MIT KDC in my HDP and i would like to create Kerberos Principals and keytabs for each user in my home any sueggestions how to create and assign ?

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Sam Red

Assumption

KDC is running

KDC is created

KDC user and master password is available

REALM TEST.COM

Edgenode : for users

user is root or sudoer

To succeed you MUST give users access to your home directory 🙂 Not a good solution security wise ....If these are unix users then create the keytabs in e.g /tmp and later copy them to the respective home directories and make sure to change the correct permissions on the keytabs.

You will notice a node dedicated to users EDGE NODE, all client softwares are installed here and not on the data or name nodes!

# cd /tmp
# sudo kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local:  addprinc [email protected]
WARNING: no policy specified for [email protected]; defaulting to no policy
Enter password for principal "[email protected]":
Re-enter password for principal "[email protected]":
Principal "[email protected]" created. 

-----do the same for all other user too ------

addprinc [email protected] 
addprinc [email protected]
addprinc [email protected] 

The keytabs with be generated in the current directory

# generate keytab for user1
##########################################
# sudo ktutil
ktutil:  addent -password -p [email protected] -k 1 -e RC4-HMAC
Password for [email protected]:
ktutil:  wkt user1.keytab
ktutil:  q 

You MUST repeat the above for all your users

# chown user1:user1 user1.keytab 

Again do the above for all users and copy the keytabs from the kdc to edgenode,

change the ownership of the respective keytabs

 # chown user1:user1 user1.keytab 

Validate the principals in this example the keytabs are in /etc/security/keytabs

# klist -kt /etc/security/keytabs/user1.keytab 
Keytab name: FILE:/etc/security/keytabs/user1.keytab 
KVNO                Timestamp                   Principal 
---- ------------------- ------------------------------------------------------ 
1                  07/18/2017 10:46:27         [email protected] 

Test the new user1 should try grabbing a kerberos ticket

# kinit -kt /etc/security/keytabs/user1.keytab [email protected] 

The below command should show athe validity of the kerbero ticket

# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: [email protected] 
Valid starting              Expires                         Service principal 
06/09/2017 10:53:48        06/10/2017 10:53:48              krbtgt/[email protected]

You should be okay now

View solution in original post

2 REPLIES 2

avatar
Master Mentor

@Sam Red

Assumption

KDC is running

KDC is created

KDC user and master password is available

REALM TEST.COM

Edgenode : for users

user is root or sudoer

To succeed you MUST give users access to your home directory 🙂 Not a good solution security wise ....If these are unix users then create the keytabs in e.g /tmp and later copy them to the respective home directories and make sure to change the correct permissions on the keytabs.

You will notice a node dedicated to users EDGE NODE, all client softwares are installed here and not on the data or name nodes!

# cd /tmp
# sudo kadmin.local
Authenticating as principal root/[email protected] with password.
kadmin.local:  addprinc [email protected]
WARNING: no policy specified for [email protected]; defaulting to no policy
Enter password for principal "[email protected]":
Re-enter password for principal "[email protected]":
Principal "[email protected]" created. 

-----do the same for all other user too ------

addprinc [email protected] 
addprinc [email protected]
addprinc [email protected] 

The keytabs with be generated in the current directory

# generate keytab for user1
##########################################
# sudo ktutil
ktutil:  addent -password -p [email protected] -k 1 -e RC4-HMAC
Password for [email protected]:
ktutil:  wkt user1.keytab
ktutil:  q 

You MUST repeat the above for all your users

# chown user1:user1 user1.keytab 

Again do the above for all users and copy the keytabs from the kdc to edgenode,

change the ownership of the respective keytabs

 # chown user1:user1 user1.keytab 

Validate the principals in this example the keytabs are in /etc/security/keytabs

# klist -kt /etc/security/keytabs/user1.keytab 
Keytab name: FILE:/etc/security/keytabs/user1.keytab 
KVNO                Timestamp                   Principal 
---- ------------------- ------------------------------------------------------ 
1                  07/18/2017 10:46:27         [email protected] 

Test the new user1 should try grabbing a kerberos ticket

# kinit -kt /etc/security/keytabs/user1.keytab [email protected] 

The below command should show athe validity of the kerbero ticket

# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: [email protected] 
Valid starting              Expires                         Service principal 
06/09/2017 10:53:48        06/10/2017 10:53:48              krbtgt/[email protected]

You should be okay now

avatar

@Geoffrey Shelton Okot

Perfect Thank You.