Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Active Directory Kerberos: Password length for principals

Active Directory Kerberos: Password length for principals

Contributor

Hi,

I need to kerberize the cluster using Active Directory. 

I want Cloudera Manager to manage all the principals for me, so I need to create a principal for it in AD for it to create other principals needed.

So far so good, but the company is asking a specific password length. So the question is:

How can I tell Cloudera Manager the password length of the principal to be created in Active Directory ? What is the default configuration ?

 

I found on this page that using /minpass and /maxpass you can set the length of the random-generated password: how can I pass something like this to CM ?

 

Thanks

Bye

Omar

4 REPLIES 4

Re: Active Directory Kerberos: Password length for principals

New Contributor

having the same problem... we're not using the default password policy in my company...

did you find out how to make it generate more than 12 letter password?

Re: Active Directory Kerberos: Password length for principals

Contributor

nope. Still waiting reply from here.

By the way, how did you found out the password is 12 char long ?

Re: Active Directory Kerberos: Password length for principals

New Contributor

when it's generating the paswords I saw that the password was always 12 chars...

anyway.. the "fix" for this is:

 

edit /usr/share/cmf/bin/gen_credentials_ad.sh

 

and swap out PASSWD=$4

with something like

 

PASSWD=${4}XyZxYz

 

this will generate a 12 char password + XyZxYz

 

ps. afaik Cloudera don't allow their customers to do this...

Re: Active Directory Kerberos: Password length for principals

Contributor

Hi, I wasn't notified of your reply.

I had the opportunity to talk to a Cloudera internal, and he said that upon principal creation, CM does not append any specific option for password lenght, because it is just asking krb to generate a random password for it.

So it just add -randkey. The guy says that any modificationt to the the lenght of a random password should be done on kerberos side, and it actually makes sense.

Question is: how to tell kerberos or AD the default size of the random-generated password ?

Can't find anything about it. I wasn't able to find anything like policy or defaults for this: there are specific options for minsize and maxsize, tough, but you have to append them when asking for principal.

 

Bye

O.