Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Automation of kinit process without login into edge node for end users?

Automation of kinit process without login into edge node for end users?

Hi,

Right now we are following this process:

kinit username@REALM.COM
Password for username@REALM.COM

Now end business analytical team doesn't want to login to Putty/Edge node and get a valid ticket all the time. Is there any way that we can automate to get a valid ticket as soon as they login either Windows/SAS/ any reporting tool? If yes, can you please share me the process to implement? Thanks in advance

8 REPLIES 8

Re: Automation of kinit process without login into edge node for end users?

Guru

Does your BA team on windows use AD ? If so, one way trust will work.

You need to configure your Kerberos server to trust AD. This way, any valid authenticated AD user will be trusted and he/she will not need another kinit from windows. You can take a look at one way trust setup here.

Re: Automation of kinit process without login into edge node for end users?

@Ravi Mutyala

No, they are on LDAP. Now, as soon as they login into the analytical tool like SAS/R/Internal tools etc., they need to login into edge node and get validate a ticket. They feel the pain of everytime logging and get a valid ticket everyday.

Highlighted

Re: Automation of kinit process without login into edge node for end users?

New Contributor

@Ravi MutyalaWill this work where client (desktop) connects to its server (win server) which then acts as a client to the HDP cluster. There is no direct login. We are not finding much info. Any advice?

Re: Automation of kinit process without login into edge node for end users?

@Sri Bandaru

If all you need to do is automate the grabbing of the ticket, then you can set up a keytab file and use the login script to automatically kinit when the user logs in with something similar to the following:

> ktutil
  ktutil:  addent -password -p username@DOMAIN.COM -k 1 -e rc4-hmac
  Password for username@DOMAIN.COM: [enter your password]
  ktutil:  addent -password -p username@DOMAIN.COM -k 1 -e aes256-cts
  Password for username@DOMAIN.COM: [enter your password]
  ktutil:  wkt username.keytab
  ktutil:  quit
> mkdir /home/username/keytabs
> chmod 700 /home/username/keytabs
> mv username.keytab /home/username/keytabs
> chmod 600 /home/username/keytabs/username.keytab
> echo "kinit -kt /home/username/keytabs/username.keytab username@DOMAIN.COM" >> /home/username/.bash_profile

This will create a keytab for the user, move it into a secure directory, and automatically get a ticket when the user logs in with a bash shell.

If you are trying to automate the use of a ticket from the desktop, then you can use a similar method. You will have to install something like the Oracle JDK to get a kinit tool, but you can create the keytab on a Linux machine and copy it to the windows system. Obviously, whatever tool you are trying to use (SAS, etc.) will need to be able to pass the Kerberos ticket to the cluster for authentication.

Re: Automation of kinit process without login into edge node for end users?

New Contributor

@emaxwell

Your explanation, specially last paragraph, is the most closest explanation I have come across, of what we are trying to resolve. Indeed (using SAS client on a desktop) that connects to a SAS server (as in a session) and the need is to pass the user's kerberos ticket to HDP from that server. We have turned the registry setting in WIN server so the ticket cache is shareable, but no go.

I was wondering if there is any doc or step by step that is available? Also, the steps you showed in code section above, needs to be done for ea. end user on the client (to HDP) server? There is NO direct end-user login to the server (only via clients). Is there anything that could have WIN OS perform kinit on behalf of the end user and pass that ticket to HDP.

Any insight is appreciated as we are going in circle.

*(Still discovering kerberos not expert level)

Re: Automation of kinit process without login into edge node for end users?

Expert Contributor
@Sri Bandaru

You can use Quest authentication/authorization services. We use it in production to grant you a TGT when you login to the box.

Re: Automation of kinit process without login into edge node for end users?

@Smart Solutions

Can you please explain in details how do you use in production? Based on that I can figure out the plan how it works for me.

Re: Automation of kinit process without login into edge node for end users?

New Contributor

Precise pain point we see, if on Linux one could do PAM but zero info on WIN. I would add, how does one have WIN OS to kinit on a user's (session) behalf?

Don't have an account?
Coming from Hortonworks? Activate your account here