Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Create Kerberos Principals for Each User in home

avatar
Contributor

Hi,

Enabled kerberos as MIT KDC in my HDP and i would like to create Kerberos Principals and keytabs for each user in my home any sueggestions how to create and assign ?

1 ACCEPTED SOLUTION

avatar
Master Mentor

@Sam Red

Assumption

KDC is running

KDC is created

KDC user and master password is available

REALM TEST.COM

Edgenode : for users

user is root or sudoer

To succeed you MUST give users access to your home directory 🙂 Not a good solution security wise ....If these are unix users then create the keytabs in e.g /tmp and later copy them to the respective home directories and make sure to change the correct permissions on the keytabs.

You will notice a node dedicated to users EDGE NODE, all client softwares are installed here and not on the data or name nodes!

# cd /tmp
# sudo kadmin.local
Authenticating as principal root/admin@TEST.COM with password.
kadmin.local:  addprinc user1@TEST.COM
WARNING: no policy specified for user1@TEST.COM; defaulting to no policy
Enter password for principal "user1@TEST.COM":
Re-enter password for principal "user1@TEST.COM":
Principal "user1@TEST.COM" created. 

-----do the same for all other user too ------

addprinc user2@TEST.COM 
addprinc user3@TEST.COM
addprinc usern@TEST.COM 

The keytabs with be generated in the current directory

# generate keytab for user1
##########################################
# sudo ktutil
ktutil:  addent -password -p user1@TEST.COM -k 1 -e RC4-HMAC
Password for user1@TEST.COM:
ktutil:  wkt user1.keytab
ktutil:  q 

You MUST repeat the above for all your users

# chown user1:user1 user1.keytab 

Again do the above for all users and copy the keytabs from the kdc to edgenode,

change the ownership of the respective keytabs

 # chown user1:user1 user1.keytab 

Validate the principals in this example the keytabs are in /etc/security/keytabs

# klist -kt /etc/security/keytabs/user1.keytab 
Keytab name: FILE:/etc/security/keytabs/user1.keytab 
KVNO                Timestamp                   Principal 
---- ------------------- ------------------------------------------------------ 
1                  07/18/2017 10:46:27         user1@TEST.COM 

Test the new user1 should try grabbing a kerberos ticket

# kinit -kt /etc/security/keytabs/user1.keytab user1@TEST.COM 

The below command should show athe validity of the kerbero ticket

# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: user1@TEST.COM 
Valid starting              Expires                         Service principal 
06/09/2017 10:53:48        06/10/2017 10:53:48              krbtgt/TEST.COM@TEST.COM

You should be okay now

View solution in original post

2 REPLIES 2

avatar
Master Mentor

@Sam Red

Assumption

KDC is running

KDC is created

KDC user and master password is available

REALM TEST.COM

Edgenode : for users

user is root or sudoer

To succeed you MUST give users access to your home directory 🙂 Not a good solution security wise ....If these are unix users then create the keytabs in e.g /tmp and later copy them to the respective home directories and make sure to change the correct permissions on the keytabs.

You will notice a node dedicated to users EDGE NODE, all client softwares are installed here and not on the data or name nodes!

# cd /tmp
# sudo kadmin.local
Authenticating as principal root/admin@TEST.COM with password.
kadmin.local:  addprinc user1@TEST.COM
WARNING: no policy specified for user1@TEST.COM; defaulting to no policy
Enter password for principal "user1@TEST.COM":
Re-enter password for principal "user1@TEST.COM":
Principal "user1@TEST.COM" created. 

-----do the same for all other user too ------

addprinc user2@TEST.COM 
addprinc user3@TEST.COM
addprinc usern@TEST.COM 

The keytabs with be generated in the current directory

# generate keytab for user1
##########################################
# sudo ktutil
ktutil:  addent -password -p user1@TEST.COM -k 1 -e RC4-HMAC
Password for user1@TEST.COM:
ktutil:  wkt user1.keytab
ktutil:  q 

You MUST repeat the above for all your users

# chown user1:user1 user1.keytab 

Again do the above for all users and copy the keytabs from the kdc to edgenode,

change the ownership of the respective keytabs

 # chown user1:user1 user1.keytab 

Validate the principals in this example the keytabs are in /etc/security/keytabs

# klist -kt /etc/security/keytabs/user1.keytab 
Keytab name: FILE:/etc/security/keytabs/user1.keytab 
KVNO                Timestamp                   Principal 
---- ------------------- ------------------------------------------------------ 
1                  07/18/2017 10:46:27         user1@TEST.COM 

Test the new user1 should try grabbing a kerberos ticket

# kinit -kt /etc/security/keytabs/user1.keytab user1@TEST.COM 

The below command should show athe validity of the kerbero ticket

# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: user1@TEST.COM 
Valid starting              Expires                         Service principal 
06/09/2017 10:53:48        06/10/2017 10:53:48              krbtgt/TEST.COM@TEST.COM

You should be okay now

avatar
Contributor

@Geoffrey Shelton Okot

Perfect Thank You.