Support Questions

Find answers, ask questions, and share your expertise

Automation of kinit process without login into edge node for end users?

avatar

Hi,

Right now we are following this process:

kinit username@REALM.COM
Password for username@REALM.COM

Now end business analytical team doesn't want to login to Putty/Edge node and get a valid ticket all the time. Is there any way that we can automate to get a valid ticket as soon as they login either Windows/SAS/ any reporting tool? If yes, can you please share me the process to implement? Thanks in advance

8 REPLIES 8

avatar
Guru

Does your BA team on windows use AD ? If so, one way trust will work.

You need to configure your Kerberos server to trust AD. This way, any valid authenticated AD user will be trusted and he/she will not need another kinit from windows. You can take a look at one way trust setup here.

avatar

@Ravi Mutyala

No, they are on LDAP. Now, as soon as they login into the analytical tool like SAS/R/Internal tools etc., they need to login into edge node and get validate a ticket. They feel the pain of everytime logging and get a valid ticket everyday.

avatar
Contributor

@Ravi MutyalaWill this work where client (desktop) connects to its server (win server) which then acts as a client to the HDP cluster. There is no direct login. We are not finding much info. Any advice?

avatar

@Sri Bandaru

If all you need to do is automate the grabbing of the ticket, then you can set up a keytab file and use the login script to automatically kinit when the user logs in with something similar to the following:

> ktutil
  ktutil:  addent -password -p username@DOMAIN.COM -k 1 -e rc4-hmac
  Password for username@DOMAIN.COM: [enter your password]
  ktutil:  addent -password -p username@DOMAIN.COM -k 1 -e aes256-cts
  Password for username@DOMAIN.COM: [enter your password]
  ktutil:  wkt username.keytab
  ktutil:  quit
> mkdir /home/username/keytabs
> chmod 700 /home/username/keytabs
> mv username.keytab /home/username/keytabs
> chmod 600 /home/username/keytabs/username.keytab
> echo "kinit -kt /home/username/keytabs/username.keytab username@DOMAIN.COM" >> /home/username/.bash_profile

This will create a keytab for the user, move it into a secure directory, and automatically get a ticket when the user logs in with a bash shell.

If you are trying to automate the use of a ticket from the desktop, then you can use a similar method. You will have to install something like the Oracle JDK to get a kinit tool, but you can create the keytab on a Linux machine and copy it to the windows system. Obviously, whatever tool you are trying to use (SAS, etc.) will need to be able to pass the Kerberos ticket to the cluster for authentication.

avatar
Contributor

@emaxwell

Your explanation, specially last paragraph, is the most closest explanation I have come across, of what we are trying to resolve. Indeed (using SAS client on a desktop) that connects to a SAS server (as in a session) and the need is to pass the user's kerberos ticket to HDP from that server. We have turned the registry setting in WIN server so the ticket cache is shareable, but no go.

I was wondering if there is any doc or step by step that is available? Also, the steps you showed in code section above, needs to be done for ea. end user on the client (to HDP) server? There is NO direct end-user login to the server (only via clients). Is there anything that could have WIN OS perform kinit on behalf of the end user and pass that ticket to HDP.

Any insight is appreciated as we are going in circle.

*(Still discovering kerberos not expert level)

avatar
Expert Contributor
@Sri Bandaru

You can use Quest authentication/authorization services. We use it in production to grant you a TGT when you login to the box.

avatar

@Smart Solutions

Can you please explain in details how do you use in production? Based on that I can figure out the plan how it works for me.

avatar
Contributor

Precise pain point we see, if on Linux one could do PAM but zero info on WIN. I would add, how does one have WIN OS to kinit on a user's (session) behalf?