Created 09-06-2017 06:17 PM
Hi,
Enabled kerberos as MIT KDC in my HDP and i would like to create Kerberos Principals and keytabs for each user in my home any sueggestions how to create and assign ?
Created 09-06-2017 08:34 PM
Assumption
KDC is running
KDC is created
KDC user and master password is available
REALM TEST.COM
Edgenode : for users
user is root or sudoer
To succeed you MUST give users access to your home directory 🙂 Not a good solution security wise ....If these are unix users then create the keytabs in e.g /tmp and later copy them to the respective home directories and make sure to change the correct permissions on the keytabs.
You will notice a node dedicated to users EDGE NODE, all client softwares are installed here and not on the data or name nodes!
# cd /tmp # sudo kadmin.local Authenticating as principal root/[email protected] with password. kadmin.local: addprinc [email protected] WARNING: no policy specified for [email protected]; defaulting to no policy Enter password for principal "[email protected]": Re-enter password for principal "[email protected]": Principal "[email protected]" created.
-----do the same for all other user too ------
addprinc [email protected] addprinc [email protected] addprinc [email protected]
The keytabs with be generated in the current directory
# generate keytab for user1 ########################################## # sudo ktutil ktutil: addent -password -p [email protected] -k 1 -e RC4-HMAC Password for [email protected]: ktutil: wkt user1.keytab ktutil: q
You MUST repeat the above for all your users
# chown user1:user1 user1.keytab
Again do the above for all users and copy the keytabs from the kdc to edgenode,
change the ownership of the respective keytabs
# chown user1:user1 user1.keytab
Validate the principals in this example the keytabs are in /etc/security/keytabs
# klist -kt /etc/security/keytabs/user1.keytab Keytab name: FILE:/etc/security/keytabs/user1.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 07/18/2017 10:46:27 [email protected]
Test the new user1 should try grabbing a kerberos ticket
# kinit -kt /etc/security/keytabs/user1.keytab [email protected]
The below command should show athe validity of the kerbero ticket
# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 06/09/2017 10:53:48 06/10/2017 10:53:48 krbtgt/[email protected]
You should be okay now
Created 09-06-2017 08:34 PM
Assumption
KDC is running
KDC is created
KDC user and master password is available
REALM TEST.COM
Edgenode : for users
user is root or sudoer
To succeed you MUST give users access to your home directory 🙂 Not a good solution security wise ....If these are unix users then create the keytabs in e.g /tmp and later copy them to the respective home directories and make sure to change the correct permissions on the keytabs.
You will notice a node dedicated to users EDGE NODE, all client softwares are installed here and not on the data or name nodes!
# cd /tmp # sudo kadmin.local Authenticating as principal root/[email protected] with password. kadmin.local: addprinc [email protected] WARNING: no policy specified for [email protected]; defaulting to no policy Enter password for principal "[email protected]": Re-enter password for principal "[email protected]": Principal "[email protected]" created.
-----do the same for all other user too ------
addprinc [email protected] addprinc [email protected] addprinc [email protected]
The keytabs with be generated in the current directory
# generate keytab for user1 ########################################## # sudo ktutil ktutil: addent -password -p [email protected] -k 1 -e RC4-HMAC Password for [email protected]: ktutil: wkt user1.keytab ktutil: q
You MUST repeat the above for all your users
# chown user1:user1 user1.keytab
Again do the above for all users and copy the keytabs from the kdc to edgenode,
change the ownership of the respective keytabs
# chown user1:user1 user1.keytab
Validate the principals in this example the keytabs are in /etc/security/keytabs
# klist -kt /etc/security/keytabs/user1.keytab Keytab name: FILE:/etc/security/keytabs/user1.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 07/18/2017 10:46:27 [email protected]
Test the new user1 should try grabbing a kerberos ticket
# kinit -kt /etc/security/keytabs/user1.keytab [email protected]
The below command should show athe validity of the kerbero ticket
# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 06/09/2017 10:53:48 06/10/2017 10:53:48 krbtgt/[email protected]
You should be okay now
Created 09-06-2017 09:14 PM
Perfect Thank You.