Right now we are following this process:
kinit username@REALM.COM Password for username@REALM.COM
Now end business analytical team doesn't want to login to Putty/Edge node and get a valid ticket all the time. Is there any way that we can automate to get a valid ticket as soon as they login either Windows/SAS/ any reporting tool? If yes, can you please share me the process to implement? Thanks in advance
Does your BA team on windows use AD ? If so, one way trust will work.
You need to configure your Kerberos server to trust AD. This way, any valid authenticated AD user will be trusted and he/she will not need another kinit from windows. You can take a look at one way trust setup here.
No, they are on LDAP. Now, as soon as they login into the analytical tool like SAS/R/Internal tools etc., they need to login into edge node and get validate a ticket. They feel the pain of everytime logging and get a valid ticket everyday.
@Ravi MutyalaWill this work where client (desktop) connects to its server (win server) which then acts as a client to the HDP cluster. There is no direct login. We are not finding much info. Any advice?
If all you need to do is automate the grabbing of the ticket, then you can set up a keytab file and use the login script to automatically kinit when the user logs in with something similar to the following:
> ktutil ktutil: addent -password -p username@DOMAIN.COM -k 1 -e rc4-hmac Password for username@DOMAIN.COM: [enter your password] ktutil: addent -password -p username@DOMAIN.COM -k 1 -e aes256-cts Password for username@DOMAIN.COM: [enter your password] ktutil: wkt username.keytab ktutil: quit > mkdir /home/username/keytabs > chmod 700 /home/username/keytabs > mv username.keytab /home/username/keytabs > chmod 600 /home/username/keytabs/username.keytab > echo "kinit -kt /home/username/keytabs/username.keytab username@DOMAIN.COM" >> /home/username/.bash_profile
This will create a keytab for the user, move it into a secure directory, and automatically get a ticket when the user logs in with a bash shell.
If you are trying to automate the use of a ticket from the desktop, then you can use a similar method. You will have to install something like the Oracle JDK to get a kinit tool, but you can create the keytab on a Linux machine and copy it to the windows system. Obviously, whatever tool you are trying to use (SAS, etc.) will need to be able to pass the Kerberos ticket to the cluster for authentication.
Your explanation, specially last paragraph, is the most closest explanation I have come across, of what we are trying to resolve. Indeed (using SAS client on a desktop) that connects to a SAS server (as in a session) and the need is to pass the user's kerberos ticket to HDP from that server. We have turned the registry setting in WIN server so the ticket cache is shareable, but no go.
I was wondering if there is any doc or step by step that is available? Also, the steps you showed in code section above, needs to be done for ea. end user on the client (to HDP) server? There is NO direct end-user login to the server (only via clients). Is there anything that could have WIN OS perform kinit on behalf of the end user and pass that ticket to HDP.
Any insight is appreciated as we are going in circle.
Precise pain point we see, if on Linux one could do PAM but zero info on WIN. I would add, how does one have WIN OS to kinit on a user's (session) behalf?