Created 01-18-2017 01:58 AM
I am trying to enable HA for Ranger Admin and for that need to add all of the Ranger Admin Hosts HTTP principals and LoadBalancer principal to the same spnego keytab file. Need instructions on creating AD user (hint to script which Ambari uses to create new principals and keytab files) and add principals into the single keytab file.
Created 01-18-2017 03:28 PM
I believe that a combination of both @Kuldeep Kulkarni and @Vipin Rathor answers are correct. Combining them and assuming the SPNEGO principals (HTTP/<host>) for the Ranger hosts already exist in the Active Directory:
Do not attempt to export new keytab file for the previously existing SPNEGO principals as this will change the password on the account and invalidate the existing (relevant) keytab files in the cluster. You should find the needed keytab file from the appropriate hosts at /etc/security/keytabs/spnego.service.keytab.
Creating the new account in the Active Directory can be done by logging into the Active Directory and using the new user wizard - right mouse click on the LDAP container (aka the "OU") and select "new" and then select "user" from the menus. You can also create a new user in the Active Directory by using LDAP commands from the OpenLDAP packages (ldapadd), but you will need to create a unicode password and an LDIF file - I believe there will be a article on HCC about this in the rather near future courtesy of @dvillarreal with a little help from me.
Creating the keytab file can be done using the ktpass utility on the Active Directory host; or, since you might know the password for the account, you can use ktutil to build one on a Linux host.
Created 01-18-2017 10:02 AM
I think Ambari uses APIs for creating principals. Instead of going for a complex way, Easiest way is - you can use 'ktpass' to extract principals in keytab.
Please see - https://technet.microsoft.com/en-us/library/cc753771(v=ws.11).aspx
Hope this information helps!
Created 01-18-2017 10:59 AM
Hello @Saikiran Parepally,
To add to @Kuldeep Kulkarni's answer, you can find the instruction to create AD user and keytab, here :
Once you have generated keytabs for all the required principals, you can copy them to Ranger Admin node(s) and use "ktutil" command from Kerberos package to merge all keytabs into one. Like this:
# ktutil ktutil: rkt /tmp/service1.keytab ktutil: rkt /tmp/service2.keytab ktutil: rkt /tmp/service3.keytab ktutil: wkt /tmp/combined.keytab ktutil: exit
Hope this helps !
Created 01-18-2017 03:28 PM
I believe that a combination of both @Kuldeep Kulkarni and @Vipin Rathor answers are correct. Combining them and assuming the SPNEGO principals (HTTP/<host>) for the Ranger hosts already exist in the Active Directory:
Do not attempt to export new keytab file for the previously existing SPNEGO principals as this will change the password on the account and invalidate the existing (relevant) keytab files in the cluster. You should find the needed keytab file from the appropriate hosts at /etc/security/keytabs/spnego.service.keytab.
Creating the new account in the Active Directory can be done by logging into the Active Directory and using the new user wizard - right mouse click on the LDAP container (aka the "OU") and select "new" and then select "user" from the menus. You can also create a new user in the Active Directory by using LDAP commands from the OpenLDAP packages (ldapadd), but you will need to create a unicode password and an LDIF file - I believe there will be a article on HCC about this in the rather near future courtesy of @dvillarreal with a little help from me.
Creating the keytab file can be done using the ktpass utility on the Active Directory host; or, since you might know the password for the account, you can use ktutil to build one on a Linux host.
Created 01-18-2017 04:52 PM
@Robert Levas @Kuldeep Kulkarni @Vipin Rathor ... Thanks a lot for your responses. Initially our AD team was hesitant to create principals for LoadBalancer and thats the reason why I was looking at Ambari scripts to create that. Now they are convinced and created principal for loadbalancer in AD. I followed ktutil steps mentioned by @Vipin Rathor to merge keytabs as suggested by @Robert Levas. This has solved the issue and I am successfully able to sync policies.
Created 02-09-2017 10:17 PM
Article created for future reference. https://community.hortonworks.com/content/kbentry/82544/how-to-create-ad-principal-accounts-using-op...