Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Create Kerberos Principals for Each User in home

Solved Go to solution
Highlighted

Create Kerberos Principals for Each User in home

Hi,

Enabled kerberos as MIT KDC in my HDP and i would like to create Kerberos Principals and keytabs for each user in my home any sueggestions how to create and assign ?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Create Kerberos Principals for Each User in home

Mentor

@Sam Red

Assumption

KDC is running

KDC is created

KDC user and master password is available

REALM TEST.COM

Edgenode : for users

user is root or sudoer

To succeed you MUST give users access to your home directory :-) Not a good solution security wise ....If these are unix users then create the keytabs in e.g /tmp and later copy them to the respective home directories and make sure to change the correct permissions on the keytabs.

You will notice a node dedicated to users EDGE NODE, all client softwares are installed here and not on the data or name nodes!

# cd /tmp
# sudo kadmin.local
Authenticating as principal root/admin@TEST.COM with password.
kadmin.local:  addprinc user1@TEST.COM
WARNING: no policy specified for user1@TEST.COM; defaulting to no policy
Enter password for principal "user1@TEST.COM":
Re-enter password for principal "user1@TEST.COM":
Principal "user1@TEST.COM" created. 

-----do the same for all other user too ------

addprinc user2@TEST.COM 
addprinc user3@TEST.COM
addprinc usern@TEST.COM 

The keytabs with be generated in the current directory

# generate keytab for user1
##########################################
# sudo ktutil
ktutil:  addent -password -p user1@TEST.COM -k 1 -e RC4-HMAC
Password for user1@TEST.COM:
ktutil:  wkt user1.keytab
ktutil:  q 

You MUST repeat the above for all your users

# chown user1:user1 user1.keytab 

Again do the above for all users and copy the keytabs from the kdc to edgenode,

change the ownership of the respective keytabs

 # chown user1:user1 user1.keytab 

Validate the principals in this example the keytabs are in /etc/security/keytabs

# klist -kt /etc/security/keytabs/user1.keytab 
Keytab name: FILE:/etc/security/keytabs/user1.keytab 
KVNO                Timestamp                   Principal 
---- ------------------- ------------------------------------------------------ 
1                  07/18/2017 10:46:27         user1@TEST.COM 

Test the new user1 should try grabbing a kerberos ticket

# kinit -kt /etc/security/keytabs/user1.keytab user1@TEST.COM 

The below command should show athe validity of the kerbero ticket

# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: user1@TEST.COM 
Valid starting              Expires                         Service principal 
06/09/2017 10:53:48        06/10/2017 10:53:48              krbtgt/TEST.COM@TEST.COM

You should be okay now

View solution in original post

2 REPLIES 2
Highlighted

Re: Create Kerberos Principals for Each User in home

Mentor

@Sam Red

Assumption

KDC is running

KDC is created

KDC user and master password is available

REALM TEST.COM

Edgenode : for users

user is root or sudoer

To succeed you MUST give users access to your home directory :-) Not a good solution security wise ....If these are unix users then create the keytabs in e.g /tmp and later copy them to the respective home directories and make sure to change the correct permissions on the keytabs.

You will notice a node dedicated to users EDGE NODE, all client softwares are installed here and not on the data or name nodes!

# cd /tmp
# sudo kadmin.local
Authenticating as principal root/admin@TEST.COM with password.
kadmin.local:  addprinc user1@TEST.COM
WARNING: no policy specified for user1@TEST.COM; defaulting to no policy
Enter password for principal "user1@TEST.COM":
Re-enter password for principal "user1@TEST.COM":
Principal "user1@TEST.COM" created. 

-----do the same for all other user too ------

addprinc user2@TEST.COM 
addprinc user3@TEST.COM
addprinc usern@TEST.COM 

The keytabs with be generated in the current directory

# generate keytab for user1
##########################################
# sudo ktutil
ktutil:  addent -password -p user1@TEST.COM -k 1 -e RC4-HMAC
Password for user1@TEST.COM:
ktutil:  wkt user1.keytab
ktutil:  q 

You MUST repeat the above for all your users

# chown user1:user1 user1.keytab 

Again do the above for all users and copy the keytabs from the kdc to edgenode,

change the ownership of the respective keytabs

 # chown user1:user1 user1.keytab 

Validate the principals in this example the keytabs are in /etc/security/keytabs

# klist -kt /etc/security/keytabs/user1.keytab 
Keytab name: FILE:/etc/security/keytabs/user1.keytab 
KVNO                Timestamp                   Principal 
---- ------------------- ------------------------------------------------------ 
1                  07/18/2017 10:46:27         user1@TEST.COM 

Test the new user1 should try grabbing a kerberos ticket

# kinit -kt /etc/security/keytabs/user1.keytab user1@TEST.COM 

The below command should show athe validity of the kerbero ticket

# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: user1@TEST.COM 
Valid starting              Expires                         Service principal 
06/09/2017 10:53:48        06/10/2017 10:53:48              krbtgt/TEST.COM@TEST.COM

You should be okay now

View solution in original post

Highlighted

Re: Create Kerberos Principals for Each User in home

@Geoffrey Shelton Okot

Perfect Thank You.

Don't have an account?
Coming from Hortonworks? Activate your account here