Created on 02-09-2017 08:16 PM - edited on 02-12-2020 04:50 AM by SumitraMenon
AD admins may be busy and you may happen to know the ambari admin principal for enabling Kerberos. How would you go about adding a principal for AD with this information and add it to your kerberos keytab? Below is one way to do it. Thanks to @Robert Levas for collaborating with me on this.
1. Create LDIF file ad_user.ldif. (Make sure there are no spaces at the ends of each of these lines)
dn: CN=HTTP/loadbalancerhost,OU=dav,OU=hortonworks,DC=HOST,DC=COM changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user distinguishedName: CN=HTTP/loadbalancerhost,OU=dav,OU=hortonworks,DC=HOST,DC=COM cn: HTTP/loadbalancerhost userAccountControl: 514 accountExpires: 0 userPrincipalName: HTTP/loadbalancerhost@HOST.COM servicePrincipalName: HTTP/loadbalancerhost dn: CN=HTTP/loadbalancerhost,OU=dav,OU=hortonworks,DC=host,DC=com changetype: modify replace: unicodePwd unicodePwd::IgBoAGEAZABvAG8AcABSAG8AYwBrAHMAMQAyADMAIQAiAA== dn: CN=HTTP/loadbalancerhost,OU=dav,OU=hortonworks,DC=HOST,DC=COM changetype: modify replace: userAccountControl userAccountControl: 66048
Do not have spaces at the ends of the above lines or you will get an error like the following:
ldap_add: No such attribute (16) additional info: 00000057: LdapErr: DSID-0C090D8A, comment: Error in attribute conversion operation, data 0, v2580
2. Create unicode Password for the above principal with the password hadoopRocks123!. Replace unicodePWD field in step 1:
[root@host1 ~]# echo -n '"hadoopRocks123!"' | iconv -f UTF8 -t UTF16LE | base64 -w 0 IgBoAGEAZABvAG8AcABSAG8AYwBrAHMAMQAyADMAIQAiAA==
3. Add the account to AD:
[root@host1 ~]# ldapadd -x -H ldaps://sme-2012-ad.support.com:636 -D "test1@host.com" -W -f add_user.ldif Enter LDAP Password: adding new entry "CN=HTTP/loadbalancerhost,OU=dav,OU=hortonworks,DC=HOST,DC=COM" modifying entry "CN=HTTP/loadbalancerhost,OU=dav,OU=hortonworks,DC=HOST,DC=com" modifying entry "CN=HTTP/loadbalancerhost,OU=dav,OU=hortonworks,DC=HOST,DC=COM"
4. Test the account with kinit:
[root@host1 ~]# kinit HTTP/loadbalancerhost@HOST.COM Password for HTTP/loadbalancerhost@HOST.COM: [root@host1 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: HTTP/loadbalancerhost@HOST.COM Valid starting Expires Service principal 02/09/17 19:02:33 02/10/17 19:02:33 krbtgt/HOST.COM@HOST.COM renew until 02/09/17 19:02:33
5. Take it one step further if you need to add the principal to a keytab file
[root@host1 ~]# ktutil ktutil: add_entry -password -p HTTP/loadbalancerhost@HOST.COM -k 1 -e aes128-cts-hmac-sha1-96 Password for HTTP/loadbalancerhost@HOST.COM: ktutil: add_entry -password -p HTTP/loadbalancerhost@HOST.COM -k 1 -e aes256-cts-hmac-sha1-96 Password for HTTP/loadbalancerhost@HOST.COM: ktutil: add_entry -password -p HTTP/loadbalancerhost@HOST.COM -k 1 -e arcfour-hmac-md5-exp Password for HTTP/loadbalancerhost@HOST.COM: ktutil: add_entry -password -p HTTP/loadbalancerhost@HOST.COM -k 1 -e des3-cbc-sha1 Password for HTTP/loadbalancerhost@HOST.COM: ktutil: add_entry -password -p HTTP/loadbalancerhost@HOST.COM -k 1 -e des-cbc-md5 Password for HTTP/loadbalancerhost@HOST.COM: ktutil: write_kt spenego.service.keytab ktutil: exit
[root@host1 ~]# klist -ket spenego.service.keytab Keytab name: FILE:lb.service.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 01/18/17 03:12:38 HTTP/loadbalancerhost@HOST.COM (aes128-cts-hmac-sha1-96) 1 01/18/17 03:12:38 HTTP/loadbalancerhost@HOST.COM (aes256-cts-hmac-sha1-96) 1 01/18/17 03:12:38 HTTP/loadbalancerhost@HOST.COM (arcfour-hmac-exp) 1 01/18/17 03:12:38 HTTP/loadbalancerhost@HOST.COM (des3-cbc-sha1) 1 01/18/17 03:12:38 HTTP/loadbalancerhost@HOST.COM (des-cbc-md5)