Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Create Kerberos Principals for Each User in home

Labels:
avatar
author-rank sunilreddykallu
Contributor

Created ‎09-06-2017 06:17 PM

Hi,

Enabled kerberos as MIT KDC in my HDP and i would like to create Kerberos Principals and keytabs for each user in my home any sueggestions how to create and assign ?

4,593 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Shelton
Master Mentor

Created ‎09-06-2017 08:34 PM

@Sam Red

Assumption

KDC is running

KDC is created

KDC user and master password is available

REALM TEST.COM

Edgenode : for users

user is root or sudoer

To succeed you MUST give users access to your home directory 🙂 Not a good solution security wise ....If these are unix users then create the keytabs in e.g /tmp and later copy them to the respective home directories and make sure to change the correct permissions on the keytabs.

You will notice a node dedicated to users EDGE NODE, all client softwares are installed here and not on the data or name nodes! 

# cd /tmp
# sudo kadmin.local
Authenticating as principal root/admin@TEST.COM with password.
kadmin.local:  addprinc user1@TEST.COM
WARNING: no policy specified for user1@TEST.COM; defaulting to no policy
Enter password for principal "user1@TEST.COM":
Re-enter password for principal "user1@TEST.COM":
Principal "user1@TEST.COM" created.

-----do the same for all other user too ------ 

addprinc user2@TEST.COM 
addprinc user3@TEST.COM
addprinc usern@TEST.COM

The keytabs with be generated in the current directory

# generate keytab for user1
##########################################
# sudo ktutil
ktutil:  addent -password -p user1@TEST.COM -k 1 -e RC4-HMAC
Password for user1@TEST.COM:
ktutil:  wkt user1.keytab
ktutil:  q

You MUST repeat the above for all your users

# chown user1:user1 user1.keytab

Again do the above for all users and copy the keytabs from the kdc to edgenode,

change the ownership of the respective keytabs

 # chown user1:user1 user1.keytab

Validate the principals in this example the keytabs are in /etc/security/keytabs

# klist -kt /etc/security/keytabs/user1.keytab 
Keytab name: FILE:/etc/security/keytabs/user1.keytab 
KVNO                Timestamp                   Principal 
---- ------------------- ------------------------------------------------------ 
1                  07/18/2017 10:46:27         user1@TEST.COM

Test the new user1 should try grabbing a kerberos ticket 

# kinit -kt /etc/security/keytabs/user1.keytab user1@TEST.COM

The below command should show athe validity of the kerbero ticket 

# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: user1@TEST.COM 
Valid starting              Expires                         Service principal 
06/09/2017 10:53:48        06/10/2017 10:53:48              krbtgt/TEST.COM@TEST.COM

You should be okay now

View solution in original post

2,507 Views
0 Kudos
2 REPLIES 2

avatar
author-rank Shelton
Master Mentor

Created ‎09-06-2017 08:34 PM

@Sam Red

Assumption

KDC is running

KDC is created

KDC user and master password is available

REALM TEST.COM

Edgenode : for users

user is root or sudoer

To succeed you MUST give users access to your home directory 🙂 Not a good solution security wise ....If these are unix users then create the keytabs in e.g /tmp and later copy them to the respective home directories and make sure to change the correct permissions on the keytabs.

You will notice a node dedicated to users EDGE NODE, all client softwares are installed here and not on the data or name nodes! 

# cd /tmp
# sudo kadmin.local
Authenticating as principal root/admin@TEST.COM with password.
kadmin.local:  addprinc user1@TEST.COM
WARNING: no policy specified for user1@TEST.COM; defaulting to no policy
Enter password for principal "user1@TEST.COM":
Re-enter password for principal "user1@TEST.COM":
Principal "user1@TEST.COM" created.

-----do the same for all other user too ------ 

addprinc user2@TEST.COM 
addprinc user3@TEST.COM
addprinc usern@TEST.COM

The keytabs with be generated in the current directory

# generate keytab for user1
##########################################
# sudo ktutil
ktutil:  addent -password -p user1@TEST.COM -k 1 -e RC4-HMAC
Password for user1@TEST.COM:
ktutil:  wkt user1.keytab
ktutil:  q

You MUST repeat the above for all your users

# chown user1:user1 user1.keytab

Again do the above for all users and copy the keytabs from the kdc to edgenode,

change the ownership of the respective keytabs

 # chown user1:user1 user1.keytab

Validate the principals in this example the keytabs are in /etc/security/keytabs

# klist -kt /etc/security/keytabs/user1.keytab 
Keytab name: FILE:/etc/security/keytabs/user1.keytab 
KVNO                Timestamp                   Principal 
---- ------------------- ------------------------------------------------------ 
1                  07/18/2017 10:46:27         user1@TEST.COM

Test the new user1 should try grabbing a kerberos ticket 

# kinit -kt /etc/security/keytabs/user1.keytab user1@TEST.COM

The below command should show athe validity of the kerbero ticket 

# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: user1@TEST.COM 
Valid starting              Expires                         Service principal 
06/09/2017 10:53:48        06/10/2017 10:53:48              krbtgt/TEST.COM@TEST.COM

You should be okay now

2,508 Views
0 Kudos

avatar
author-rank sunilreddykallu
Contributor

Created ‎09-06-2017 09:14 PM

@Geoffrey Shelton Okot

Perfect Thank You.

2,507 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements