Support Questions

Find answers, ask questions, and share your expertise

Cloudbreak - kerberos-env json descriptor format

avatar

I'm trying to add some advanced kerberos options within cloudbreak and am stuck on the format of the kerberos-env json descriptor. I have tried a few things and keep getting "The descriptor must be a valid JSON with the required fields"

Can anyone advise of the format that should be used?

1 ACCEPTED SOLUTION

avatar

There is an example here, near the bottom of the page;

https://docs.hortonworks.com/HDPDocuments/Cloudbreak/Cloudbreak-2.4.2/content/security-kerberos/inde...

If that doesn't help you, can you share what you've used that is giving you an error?

View solution in original post

6 REPLIES 6

avatar

There is an example here, near the bottom of the page;

https://docs.hortonworks.com/HDPDocuments/Cloudbreak/Cloudbreak-2.4.2/content/security-kerberos/inde...

If that doesn't help you, can you share what you've used that is giving you an error?

avatar

Thanks for sharing your JSON. It looks good but the error also complains about the required fields. I don't see some fields; realm / kdc_type / kdc_host / admin_server_host etc as you can see on the example in the link I previously sent. Can you try to include those values, and see if that makes any improvement?

avatar

I have tried the following in a few different ways. Removing the kerberos-env and just using properties. I have also tried getting the kerberos-descriptor from the api and using that. I get the message "The descriptor must be a valid JSON with the required fields Kerberos configuration contains inconsistent parameters" with the below code.

{
"kerberos-env":{
    "properties" : {
        "password_min_uppercase_letters" : "1",
        "password_min_whitespace" : "0",
        "password_min_punctuation" : "1",
        "manage_auth_to_local" : "true",
        "password_min_digits" : "1",
        "set_password_expiry" : "false",
        "encryption_types" : "aes des3-cbc-sha1 rc4 des-cbc-md5",
        "kdc_create_attributes" : "",
        "create_ambari_principal" : "true",
        "password_min_lowercase_letters" : "1",
        "password_length" : "20",
        "case_insensitive_username_rules" : "true",
        "manage_identities" : "true",
        "password_chat_timeout" : "5",
        "ad_create_attributes_template" : "\n{\n  \"objectClass\": [\"top\", \"person\", \"organizationalPerson\", \"user\"],\n  \"cn\": \"$principal_digest_256\",\n  #if( $is_service )\n  \"servicePrincipalName\": \"$principal_name\",\n  #end\n  \"userPrincipalName\": \"$normalized_principal\",\n  \"unicodePwd\": \"$password\",\n  \"accountExpires\": \"0\",\n  \"userAccountControl\": \"66048\"\n}",
        "preconfigure_services" : "DEFAULT",
        "install_packages" : "true",
        "ldap_url" : "ldaps://system.example.com:636",
        "executable_search_paths" : "/usr/bin, /usr/kerberos/bin, /usr/sbin, /usr/lib/mit/bin, /usr/lib/mit/sbin",
        "group" : "ambari-managed-principals",
        "kdc_type": "active-directory"
      }
    }
}

avatar

Just added those and getting "Kerberos configuration contains inconsistent parameters"

avatar

Just figured it out. I had previously filled in the basic section and it seems to conflict if you dont clear it when moving to the advanced configuration. I have cleared basic and the configuration has started.

Thank you for your help and very prompt responses 🙂

avatar

Awesome, glad you got it working now and thanks for clarifying how you got it up! 🙂