Support Questions
Find answers, ask questions, and share your expertise

Cloubdreak on Azure Kerberos configuration hostnames too long

Solved Go to solution

Cloubdreak on Azure Kerberos configuration hostnames too long

Hi,

I am setting up a Kerberized cluster with Cloudbreak 2.7 on Azure. We have created a cluster install using simple options and it all works well, however, once we come to installing a cluster using Kerberos we are running into an error when creating the principals.

Failed to create the account for HTTP/hostname.guid.px.internal.cloudapp.net@EXAMPLE.COM

it seems that the principal is too long to fit into the 64 char limit that we have in Active Directory due to the hostname being too long.

My questions are

Is there a way around this issue?

Has anyone else managed to setup kerberos on Azure using Active Directory, if so how?

Thanks for any help that can be provided.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Cloubdreak on Azure Kerberos configuration hostnames too long

There is a workaround for this issue. However the results may not be desired since the CN will be a set of seemingly random characters.

The CN is set using the value calculated using the Velocity template specified in the kerberos-env/ad_create_attributes_template configuration. The default value of the template is

{
  "objectClass": ["top", "person", "organizationalPerson", "user"],
  "cn": "$principal_name",
  #if( $is_service )
  "servicePrincipalName": "$principal_name",
  #end
  "userPrincipalName": "$normalized_principal",
  "unicodePwd": "$password",
  "accountExpires": "0",
  "userAccountControl": "66048"
} 

As you can see, the CN value is set to the identity's principal name. This can be changed, but we need to make sure the value will be unique. There are several variables available to use in this template. See https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.1.5/bk_ambari-security/content/customizing_the_....

You can use one of the hashes to limit the size of the value and provide a reasonable probability of uniqueness:

  • principal_digest (SHA1) - 40 characters
  • principal_digest_256 (SHA256) - 64 characters
  • principal_digest_512 (SHA512) - 128 characters

Since the maximum length for the CN attribute in an Active Directory is 64 characters, I would suggest using principal_digest_256.

For example,

{
  "objectClass": ["top", "person", "organizationalPerson", "user"],
  "cn": "$principal_digest_256",
  #if( $is_service )
  "servicePrincipalName": "$principal_name",
  #end
  "userPrincipalName": "$normalized_principal",
  "unicodePwd": "$password",
  "accountExpires": "0",
  "userAccountControl": "66048"
} 

Notice the "cn" line was changed from "cn": "$principal_name" to "cn": "$principal_digest_256".

You can change this templet from the Enable Kerberos Wizard if you open the Advanced kerberos-env tab on the Configure Kerberos page and look for the Account Attribute Template property.

View solution in original post

1 REPLY 1

Re: Cloubdreak on Azure Kerberos configuration hostnames too long

There is a workaround for this issue. However the results may not be desired since the CN will be a set of seemingly random characters.

The CN is set using the value calculated using the Velocity template specified in the kerberos-env/ad_create_attributes_template configuration. The default value of the template is

{
  "objectClass": ["top", "person", "organizationalPerson", "user"],
  "cn": "$principal_name",
  #if( $is_service )
  "servicePrincipalName": "$principal_name",
  #end
  "userPrincipalName": "$normalized_principal",
  "unicodePwd": "$password",
  "accountExpires": "0",
  "userAccountControl": "66048"
} 

As you can see, the CN value is set to the identity's principal name. This can be changed, but we need to make sure the value will be unique. There are several variables available to use in this template. See https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.1.5/bk_ambari-security/content/customizing_the_....

You can use one of the hashes to limit the size of the value and provide a reasonable probability of uniqueness:

  • principal_digest (SHA1) - 40 characters
  • principal_digest_256 (SHA256) - 64 characters
  • principal_digest_512 (SHA512) - 128 characters

Since the maximum length for the CN attribute in an Active Directory is 64 characters, I would suggest using principal_digest_256.

For example,

{
  "objectClass": ["top", "person", "organizationalPerson", "user"],
  "cn": "$principal_digest_256",
  #if( $is_service )
  "servicePrincipalName": "$principal_name",
  #end
  "userPrincipalName": "$normalized_principal",
  "unicodePwd": "$password",
  "accountExpires": "0",
  "userAccountControl": "66048"
} 

Notice the "cn" line was changed from "cn": "$principal_name" to "cn": "$principal_digest_256".

You can change this templet from the Enable Kerberos Wizard if you open the Advanced kerberos-env tab on the Configure Kerberos page and look for the Account Attribute Template property.

View solution in original post