Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Ambari Kerberos - Existing AD

Labels:
avatar
author-rank avijeetd
Super Collaborator

Created on ‎09-19-2016 06:47 AM - edited ‎09-16-2022 03:39 AM

Hi All,

I set up a kerberized cluster using AD, everything went fine. Next I wanted to set up Kerberos for ambari using steps below

http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_Ambari_Security_Guide/content/_optional_s...

The problem is I can't kadmin in my linux boxes

[root@securityLab01 ~]# kadmin

Authenticating as principal ambari-qa-securityLab/admin@XXXXXXIT.LOCAL with password. kadmin:

Client not found in Kerberos database while initializing kadmin interface

Which user can I use to use kadmin.

Thanks,

Avijeet

2,397 Views
1 ACCEPTED SOLUTION

avatar
author-rank VR46 author-rank
Guru

Created ‎09-19-2016 10:06 AM

Hello @Avijeet Dash ,

If you are using AD as Kerberos KDC, then you should not use kadmin to create an ambari server principal. You need to login to AD, create a user account for Ambari server. Once that is done, you can generate a keytab for this user by using this command (on AD's command prompt):

ktpass /princ ambari-server@HWX.COM /pass <password> /mapuser ambari-server /pType KRB5_NT_PRINCIPAL /crypto ALL /out c:\temp\ambari.server.keytab

Here I've kept the name of AD user account name and Kerberos principal name same as 'ambari-server'.

Once the keytab is generated, copy it to the host running Ambari service. And follow from step #3 in the doc link that you have given in question.

Hope this helps,

Vipin

View solution in original post

1,847 Views
4 REPLIES 4

avatar
author-rank VR46 author-rank
Guru

Created ‎09-19-2016 10:06 AM

Hello @Avijeet Dash ,

If you are using AD as Kerberos KDC, then you should not use kadmin to create an ambari server principal. You need to login to AD, create a user account for Ambari server. Once that is done, you can generate a keytab for this user by using this command (on AD's command prompt):

ktpass /princ ambari-server@HWX.COM /pass <password> /mapuser ambari-server /pType KRB5_NT_PRINCIPAL /crypto ALL /out c:\temp\ambari.server.keytab

Here I've kept the name of AD user account name and Kerberos principal name same as 'ambari-server'.

Once the keytab is generated, copy it to the host running Ambari service. And follow from step #3 in the doc link that you have given in question.

Hope this helps,

Vipin

1,848 Views

avatar
author-rank rlevas
Guru

Created ‎09-19-2016 01:11 PM

@Avijeet Dash

For versions before Ambari 2.4.0, @Vipin Rathor's answer is correct. For Ambari 2.4.0 (and later), Ambari will do this for you when Kerberos is enabled.

1,847 Views
0 Kudos

avatar
author-rank avijeetd
Super Collaborator

Created ‎09-19-2016 01:38 PM

Thanks @Robert Levas @Vipin Rathor

Can we use the Ambari Views / File views etc. If Hadoop cluster is kerberized but Amabri is not?

As HDP doesn't have HUE, I am having an issue to set up a UI based access to tables etc.

1,847 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎09-19-2016 03:50 PM

If the cluster is Kerberized, then some, if not all views, will require that Ambari's Kerberos identity is configured. This is so the views can authenticate to the relevant services.

1,847 Views
0 Kudos
Announcements
What's New @ Cloudera
Updates to the HDFS clusters on AWS environments to add supp...
What's New @ Cloudera
Enhancements to the create-database command
Community Announcements
September 2024 Community Highlights
What's New @ Cloudera
Cloudera Streams Messaging Operator 1.1
What's New @ Cloudera
From Silos to Synergy: Unifying Data Warehousing and AI
View More Announcements