Community Articles
Find and share helpful community-sourced technical articles
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Labels (2)

AD admins may be busy and you may happen to know the ambari admin principal for enabling Kerberos. How would you go about adding a principal for AD with this information and add it to your kerberos keytab? Below is one way to do it. Thanks to @Robert Levas for collaborating with me on this.

1. Create LDIF file ad_user.ldif. (Make sure there are no spaces at the ends of each of these lines)

dn: CN=HTTP/loadbalancerhost,OU=dav,OU=hortonworks,DC=CHUPA,DC=COM
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
distinguishedName: CN=HTTP/loadbalancerhost,OU=dav,OU=hortonworks,DC=CHUPA,DC=COM
cn: HTTP/loadbalancerhost
userAccountControl: 514
accountExpires: 0
userPrincipalName: HTTP/loadbalancerhost@CHUPA.COM
servicePrincipalName: HTTP/loadbalancerhost
dn: CN=HTTP/loadbalancerhost,OU=dav,OU=hortonworks,DC=chupa,DC=com
changetype: modify
replace: unicodePwd
unicodePwd::IgBoAGEAZABvAG8AcABSAG8AYwBrAHMAMQAyADMAIQAiAA==
dn: CN=HTTP/loadbalancerhost,OU=dav,OU=hortonworks,DC=CHUPA,DC=COM
changetype: modify
replace: userAccountControl
userAccountControl: 66048

Do not have spaces at the ends of the above lines or you will get an error like the following:

ldap_add: No such attribute (16)
      additional info: 00000057: LdapErr: DSID-0C090D8A, comment: Error in attribute conversion operation, data 0, v2580

2. Create unicode Password for the above principal with the password hadoopRocks123!. Replace unicodePWD field in step 1:

[root@chupa1 ~]# echo -n '"hadoopRocks123!"' | iconv -f UTF8 -t UTF16LE | base64 -w 0
IgBoAGEAZABvAG8AcABSAG8AYwBrAHMAMQAyADMAIQAiAA==

3. Add the account to AD:

[root@chupa1 ~]# ldapadd -x -H ldaps://sme-2012-ad.support.com:636 -D "test1@chupa.com" -W -f add_user.ldif
Enter LDAP Password: 
adding new entry "CN=HTTP/loadbalancerhost,OU=dav,OU=hortonworks,DC=CHUPA,DC=COM"
modifying entry "CN=HTTP/loadbalancerhost,OU=dav,OU=hortonworks,DC=CHUPA,DC=com"
modifying entry "CN=HTTP/loadbalancerhost,OU=dav,OU=hortonworks,DC=CHUPA,DC=COM"

4. Test the account with kinit:

[root@chupa1 ~]# kinit HTTP/loadbalancerhost@CHUPA.COM
Password for HTTP/loadbalancerhost@CHUPA.COM: 

[root@chupa1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/loadbalancerhost@CHUPA.COM

Valid starting     Expires            Service principal
02/09/17 19:02:33  02/10/17 19:02:33  krbtgt/CHUPA.COM@CHUPA.COM
	renew until 02/09/17 19:02:33

5. Take it one step further if you need to add the principal to a keytab file

[root@chupa1 ~]# ktutil
ktutil:  add_entry -password -p HTTP/loadbalancerhost@CHUPA.COM -k 1 -e aes128-cts-hmac-sha1-96
Password for HTTP/loadbalancerhost@CHUPA.COM:
ktutil:  add_entry -password -p HTTP/loadbalancerhost@CHUPA.COM -k 1 -e aes256-cts-hmac-sha1-96
Password for HTTP/loadbalancerhost@CHUPA.COM:
ktutil:  add_entry -password -p HTTP/loadbalancerhost@CHUPA.COM -k 1 -e arcfour-hmac-md5-exp
Password for HTTP/loadbalancerhost@CHUPA.COM:
ktutil:  add_entry -password -p HTTP/loadbalancerhost@CHUPA.COM -k 1 -e des3-cbc-sha1
Password for HTTP/loadbalancerhost@CHUPA.COM:
ktutil:  add_entry -password -p HTTP/loadbalancerhost@CHUPA.COM -k 1 -e des-cbc-md5
Password for HTTP/loadbalancerhost@CHUPA.COM:
ktutil:  write_kt spenego.service.keytab
ktutil:  exit
[root@chupa1 ~]# klist -ket spenego.service.keytab
Keytab name: FILE:lb.service.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 01/18/17 03:12:38 HTTP/loadbalancerhost@CHUPA.COM (aes128-cts-hmac-sha1-96)
   1 01/18/17 03:12:38 HTTP/loadbalancerhost@CHUPA.COM (aes256-cts-hmac-sha1-96)
   1 01/18/17 03:12:38 HTTP/loadbalancerhost@CHUPA.COM (arcfour-hmac-exp)
   1 01/18/17 03:12:38 HTTP/loadbalancerhost@CHUPA.COM (des3-cbc-sha1)
   1 01/18/17 03:12:38 HTTP/loadbalancerhost@CHUPA.COM (des-cbc-md5)
4,561 Views
Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
1 of 1
Last update:
‎02-09-2017 08:16 PM
Updated by:
 
Contributors
Top Kudoed Authors