I am trying to turn on kerberos security on my Cloudera cluster using Cloudera Manager (CM). I have an existing Kerberos KDC in my network as part of an integrated Free IPA server. I am able to create a cloudera-scm user with admin privs on the CM node, installed the keytab file, and authenticate to the CM. However, I see that when CM tries to create a principal for other Hadoop services, it fails.
I found a similar issue posted with IPA and Ambari. It seems Free IPA does not permit applications to directly access the kadmin tool. Instead the service exposes an equivalent set of ipa commands. (reference: https://www.redhat.com/archives/freeipa-users/2015-April/msg00560.html )
Looking at the CM logs, it appears to be the same issue where CM is failing on a kadmin command trying to create a prinicpal for the HDFS user. Is it possible to modify the CM kerberos interface to use the equivalent ipa commands?
