Actually, I have Hadoop Hortonworks Cluster with Kerberos enabled.
Users to access are in AD repository.
I can add some users and test that users could submit their jobs successfully.
But the issue here that I have to add every user on all nodes and also register every user keytab on all nodes.
This is ok for 1 or 2 users but not for 50 or 100
I am creating keytab using kutil , so i have to ask every user to tape his password!!
Is there any other tip to do this?
How can I register keytabs for a domain not per user?
Should I do it per user?
Any idea will be appreciated.
@asmarz You don't have to create every user manually. This can be taken care by Ambari itself. Our doc says:
When you enable Kerberos, if you choose to use an Existing MIT KDC or Existing Active Directory, the Kerberos Wizard prompts for information related to the KDC, the KDC Admin Account credentials, and the Service and Ambari principals. Once provided, Ambari will automatically create principals, generate keytabs and distribute keytabs to the hosts in the cluster. The services will be configured for Kerberos and the service components are restarted to authenticate against the KDC. This is the Kerberos Automated Setup option.
Please follow below doc for this:
Thank you for your reply
I have configured first only ambari server and edge node with active directory (samba) then I have enabled kerberos i got a lot of principles generated on the Hadoop but for spark , yarn ...
Users from AD could not connect and execute their jobs
Then I configured others nodes name nodes and Dara nodes with Active directory and I added users manually and then they were able to use the cluster
So I don’t understand why I did not get the automatically thing for AD users ? Should I regenerate keytabs from the ambari server ?
It is really a blocking issue for me ..
thanks a lot in advance
In the second link that you have attached there is a link to centrifugal and it is about adding ticket for users , example we user .. it should be done manually for each user ..