Support Questions

Find answers, ask questions, and share your expertise

Commands to add HTTP principals to spnego keytab file for AD integrated Kerberose cluster

avatar
Rising Star

I am trying to enable HA for Ranger Admin and for that need to add all of the Ranger Admin Hosts HTTP principals and LoadBalancer principal to the same spnego keytab file. Need instructions on creating AD user (hint to script which Ambari uses to create new principals and keytab files) and add principals into the single keytab file.

1 ACCEPTED SOLUTION

avatar

I believe that a combination of both @Kuldeep Kulkarni and @Vipin Rathor answers are correct. Combining them and assuming the SPNEGO principals (HTTP/<host>) for the Ranger hosts already exist in the Active Directory:

  1. Create the account in the Active Directory for the load balancer host (HTTP/<loadbalancer FQDN>@<realm>)
  2. Export the keytab file for the created account
  3. Combine the relevant keytab file into a single file using ktutil

Do not attempt to export new keytab file for the previously existing SPNEGO principals as this will change the password on the account and invalidate the existing (relevant) keytab files in the cluster. You should find the needed keytab file from the appropriate hosts at /etc/security/keytabs/spnego.service.keytab.

Creating the new account in the Active Directory can be done by logging into the Active Directory and using the new user wizard - right mouse click on the LDAP container (aka the "OU") and select "new" and then select "user" from the menus. You can also create a new user in the Active Directory by using LDAP commands from the OpenLDAP packages (ldapadd), but you will need to create a unicode password and an LDIF file - I believe there will be a article on HCC about this in the rather near future courtesy of @dvillarreal with a little help from me.

Creating the keytab file can be done using the ktpass utility on the Active Directory host; or, since you might know the password for the account, you can use ktutil to build one on a Linux host.

View solution in original post

5 REPLIES 5

avatar
Master Guru
@Saikiran Parepally

I think Ambari uses APIs for creating principals. Instead of going for a complex way, Easiest way is - you can use 'ktpass' to extract principals in keytab.

Please see - https://technet.microsoft.com/en-us/library/cc753771(v=ws.11).aspx

Hope this information helps!

avatar
Guru

Hello @Saikiran Parepally,

To add to @Kuldeep Kulkarni's answer, you can find the instruction to create AD user and keytab, here :

https://community.hortonworks.com/content/supportkb/48973/how-to-setup-kerberos-keytab-for-hadoop-se...

Once you have generated keytabs for all the required principals, you can copy them to Ranger Admin node(s) and use "ktutil" command from Kerberos package to merge all keytabs into one. Like this:

# ktutil
ktutil:  rkt /tmp/service1.keytab
ktutil:  rkt /tmp/service2.keytab
ktutil:  rkt /tmp/service3.keytab
ktutil:  wkt /tmp/combined.keytab
ktutil:  exit

Hope this helps !

avatar

I believe that a combination of both @Kuldeep Kulkarni and @Vipin Rathor answers are correct. Combining them and assuming the SPNEGO principals (HTTP/<host>) for the Ranger hosts already exist in the Active Directory:

  1. Create the account in the Active Directory for the load balancer host (HTTP/<loadbalancer FQDN>@<realm>)
  2. Export the keytab file for the created account
  3. Combine the relevant keytab file into a single file using ktutil

Do not attempt to export new keytab file for the previously existing SPNEGO principals as this will change the password on the account and invalidate the existing (relevant) keytab files in the cluster. You should find the needed keytab file from the appropriate hosts at /etc/security/keytabs/spnego.service.keytab.

Creating the new account in the Active Directory can be done by logging into the Active Directory and using the new user wizard - right mouse click on the LDAP container (aka the "OU") and select "new" and then select "user" from the menus. You can also create a new user in the Active Directory by using LDAP commands from the OpenLDAP packages (ldapadd), but you will need to create a unicode password and an LDIF file - I believe there will be a article on HCC about this in the rather near future courtesy of @dvillarreal with a little help from me.

Creating the keytab file can be done using the ktpass utility on the Active Directory host; or, since you might know the password for the account, you can use ktutil to build one on a Linux host.

avatar
Rising Star

@Robert Levas @Kuldeep Kulkarni @Vipin Rathor ... Thanks a lot for your responses. Initially our AD team was hesitant to create principals for LoadBalancer and thats the reason why I was looking at Ambari scripts to create that. Now they are convinced and created principal for loadbalancer in AD. I followed ktutil steps mentioned by @Vipin Rathor to merge keytabs as suggested by @Robert Levas. This has solved the issue and I am successfully able to sync policies.

avatar