Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Cloubdreak on Azure Kerberos configuration hostnames too long

Labels:
avatar
author-rank james_bashforth
Explorer

Created ‎08-03-2018 03:02 AM

Hi,

I am setting up a Kerberized cluster with Cloudbreak 2.7 on Azure. We have created a cluster install using simple options and it all works well, however, once we come to installing a cluster using Kerberos we are running into an error when creating the principals.

Failed to create the account for HTTP/hostname.guid.px.internal.cloudapp.net@EXAMPLE.COM

it seems that the principal is too long to fit into the 64 char limit that we have in Active Directory due to the hostname being too long.

My questions are

Is there a way around this issue?

Has anyone else managed to setup kerberos on Azure using Active Directory, if so how?

Thanks for any help that can be provided.

1,180 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎08-03-2018 03:19 AM

There is a workaround for this issue. However the results may not be desired since the CN will be a set of seemingly random characters.

The CN is set using the value calculated using the Velocity template specified in the kerberos-env/ad_create_attributes_template configuration. The default value of the template is 

{
  "objectClass": ["top", "person", "organizationalPerson", "user"],
  "cn": "$principal_name",
  #if( $is_service )
  "servicePrincipalName": "$principal_name",
  #end
  "userPrincipalName": "$normalized_principal",
  "unicodePwd": "$password",
  "accountExpires": "0",
  "userAccountControl": "66048"
}

As you can see, the CN value is set to the identity's principal name. This can be changed, but we need to make sure the value will be unique. There are several variables available to use in this template. See https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.1.5/bk_ambari-security/content/customizing_the_....

You can use one of the hashes to limit the size of the value and provide a reasonable probability of uniqueness:

  • principal_digest (SHA1) - 40 characters
  • principal_digest_256 (SHA256) - 64 characters
  • principal_digest_512 (SHA512) - 128 characters

Since the maximum length for the CN attribute in an Active Directory is 64 characters, I would suggest using principal_digest_256.

For example, 

{
  "objectClass": ["top", "person", "organizationalPerson", "user"],
  "cn": "$principal_digest_256",
  #if( $is_service )
  "servicePrincipalName": "$principal_name",
  #end
  "userPrincipalName": "$normalized_principal",
  "unicodePwd": "$password",
  "accountExpires": "0",
  "userAccountControl": "66048"
}

Notice the "cn" line was changed from "cn": "$principal_name" to "cn": "$principal_digest_256".

You can change this templet from the Enable Kerberos Wizard if you open the Advanced kerberos-env tab on the Configure Kerberos page and look for the Account Attribute Template property.

View solution in original post

1,081 Views
0
1 REPLY 1

avatar
author-rank rlevas
Guru

Created ‎08-03-2018 03:19 AM

There is a workaround for this issue. However the results may not be desired since the CN will be a set of seemingly random characters.

The CN is set using the value calculated using the Velocity template specified in the kerberos-env/ad_create_attributes_template configuration. The default value of the template is 

{
  "objectClass": ["top", "person", "organizationalPerson", "user"],
  "cn": "$principal_name",
  #if( $is_service )
  "servicePrincipalName": "$principal_name",
  #end
  "userPrincipalName": "$normalized_principal",
  "unicodePwd": "$password",
  "accountExpires": "0",
  "userAccountControl": "66048"
}

As you can see, the CN value is set to the identity's principal name. This can be changed, but we need to make sure the value will be unique. There are several variables available to use in this template. See https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.1.5/bk_ambari-security/content/customizing_the_....

You can use one of the hashes to limit the size of the value and provide a reasonable probability of uniqueness:

  • principal_digest (SHA1) - 40 characters
  • principal_digest_256 (SHA256) - 64 characters
  • principal_digest_512 (SHA512) - 128 characters

Since the maximum length for the CN attribute in an Active Directory is 64 characters, I would suggest using principal_digest_256.

For example, 

{
  "objectClass": ["top", "person", "organizationalPerson", "user"],
  "cn": "$principal_digest_256",
  #if( $is_service )
  "servicePrincipalName": "$principal_name",
  #end
  "userPrincipalName": "$normalized_principal",
  "unicodePwd": "$password",
  "accountExpires": "0",
  "userAccountControl": "66048"
}

Notice the "cn" line was changed from "cn": "$principal_name" to "cn": "$principal_digest_256".

You can change this templet from the Enable Kerberos Wizard if you open the Advanced kerberos-env tab on the Configure Kerberos page and look for the Account Attribute Template property.

1,082 Views
0
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements