Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Custom Kerberos Keytab Retrieval Script is not working when enable kerberos

avatar
New Contributor

Hello Community,

 

     We are using CDH 5.13.1 and CM have the same version. Hello Since we cannot get AD admin account due to security policy, We create all CDH principals manually on AD and provide keytab for CM to import. We reference https://www.cloudera.com/documentation/enterprise/latest/topics/sg_keytab_retrieval_script.html to make the "keytab retrieve script" and set the property onto CM. And I did set 777 permission by the way. set_keytab_retrieve_script.png

But here is the problem: When I enable kerberos with the wizard, it always using "/usr/share/cmf/bin/import_credentials.sh" then error.

error_msg.png 

In my cognition, when I set "Custom Kerberos Keytab Retrieval Script" property, cloudera manager will get pricipals and keytabs from retrieval scripts. Therefore, the user name and password would not take any effect in this case. Why and How should I do? 

 

Thanks,

Velen

1 ACCEPTED SOLUTION

avatar
New Contributor

     Found the answer. AD server did not enable SSL so CM can't connect AD with ldaps. When I install "Active Directory Certificate Service" in Windows Server, it all work now!

 

Velen

View solution in original post

3 REPLIES 3

avatar
Super Collaborator

Hi,

I have implemented the same thing in CDH 5.11. The procedure works fine (at least on this version).

There is no need to give 777 permissions. Security wised the keytabs should have 400 permissions and the owner should be cloudera-scm user.

I assume that your keytab files are located under "/keytabs/" or whatever directory you have configured in your script.

You should be carefull on keytab filename. Example of keytabs:

hive_slavenode1.example.com@EXAMPLE.COM.keytab

HTTP_slavenode1.example.com@EXAMPLE.COM.keytab

...

 

PS: The script should have execute permissions and the script and all keytabs should be on the host you are running Cloudera Manager.

avatar
New Contributor

     Found the answer. AD server did not enable SSL so CM can't connect AD with ldaps. When I install "Active Directory Certificate Service" in Windows Server, it all work now!

 

Velen

avatar
New Contributor

Hi, I have similiar requirement where we cannot get AD admin account due to security policy. We are using CDH 5.11.2 Express version.    Could you please help me providing steps for this approach.

 

Thanks in Advance.

 

Reards,

Dinu