- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Float this Question for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Ambari Kerberos - Existing AD
- Labels:
-
Apache Ambari
-
Kerberos
Created on 09-19-2016 06:47 AM - edited 09-16-2022 03:39 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All,
I set up a kerberized cluster using AD, everything went fine. Next I wanted to set up Kerberos for ambari using steps below
The problem is I can't kadmin in my linux boxes
[root@securityLab01 ~]# kadmin
Authenticating as principal ambari-qa-securityLab/admin@XXXXXXIT.LOCAL with password. kadmin:
Client not found in Kerberos database while initializing kadmin interface
Which user can I use to use kadmin.
Thanks,
Avijeet
Created 09-19-2016 10:06 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Avijeet Dash ,
If you are using AD as Kerberos KDC, then you should not use kadmin to create an ambari server principal. You need to login to AD, create a user account for Ambari server. Once that is done, you can generate a keytab for this user by using this command (on AD's command prompt):
ktpass /princ ambari-server@HWX.COM /pass <password> /mapuser ambari-server /pType KRB5_NT_PRINCIPAL /crypto ALL /out c:\temp\ambari.server.keytab
Here I've kept the name of AD user account name and Kerberos principal name same as 'ambari-server'.
Once the keytab is generated, copy it to the host running Ambari service. And follow from step #3 in the doc link that you have given in question.
Hope this helps,
Vipin
Created 09-19-2016 10:06 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @Avijeet Dash ,
If you are using AD as Kerberos KDC, then you should not use kadmin to create an ambari server principal. You need to login to AD, create a user account for Ambari server. Once that is done, you can generate a keytab for this user by using this command (on AD's command prompt):
ktpass /princ ambari-server@HWX.COM /pass <password> /mapuser ambari-server /pType KRB5_NT_PRINCIPAL /crypto ALL /out c:\temp\ambari.server.keytab
Here I've kept the name of AD user account name and Kerberos principal name same as 'ambari-server'.
Once the keytab is generated, copy it to the host running Ambari service. And follow from step #3 in the doc link that you have given in question.
Hope this helps,
Vipin
Created 09-19-2016 01:11 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For versions before Ambari 2.4.0, @Vipin Rathor's answer is correct. For Ambari 2.4.0 (and later), Ambari will do this for you when Kerberos is enabled.
Created 09-19-2016 01:38 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @Robert Levas @Vipin Rathor
Can we use the Ambari Views / File views etc. If Hadoop cluster is kerberized but Amabri is not?
As HDP doesn't have HUE, I am having an issue to set up a UI based access to tables etc.
Created 09-19-2016 03:50 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the cluster is Kerberized, then some, if not all views, will require that Ambari's Kerberos identity is configured. This is so the views can authenticate to the relevant services.