Support Questions
Find answers, ask questions, and share your expertise

Create Kerberos Principals for Each User in home

Hi,

Enabled kerberos as MIT KDC in my HDP and i would like to create Kerberos Principals and keytabs for each user in my home any sueggestions how to create and assign ?

1 ACCEPTED SOLUTION

Accepted Solutions

Mentor

@Sam Red

Assumption

KDC is running

KDC is created

KDC user and master password is available

REALM TEST.COM

Edgenode : for users

user is root or sudoer

To succeed you MUST give users access to your home directory 🙂 Not a good solution security wise ....If these are unix users then create the keytabs in e.g /tmp and later copy them to the respective home directories and make sure to change the correct permissions on the keytabs.

You will notice a node dedicated to users EDGE NODE, all client softwares are installed here and not on the data or name nodes!

# cd /tmp
# sudo kadmin.local
Authenticating as principal root/admin@TEST.COM with password.
kadmin.local:  addprinc user1@TEST.COM
WARNING: no policy specified for user1@TEST.COM; defaulting to no policy
Enter password for principal "user1@TEST.COM":
Re-enter password for principal "user1@TEST.COM":
Principal "user1@TEST.COM" created. 

-----do the same for all other user too ------

addprinc user2@TEST.COM 
addprinc user3@TEST.COM
addprinc usern@TEST.COM 

The keytabs with be generated in the current directory

# generate keytab for user1
##########################################
# sudo ktutil
ktutil:  addent -password -p user1@TEST.COM -k 1 -e RC4-HMAC
Password for user1@TEST.COM:
ktutil:  wkt user1.keytab
ktutil:  q 

You MUST repeat the above for all your users

# chown user1:user1 user1.keytab 

Again do the above for all users and copy the keytabs from the kdc to edgenode,

change the ownership of the respective keytabs

 # chown user1:user1 user1.keytab 

Validate the principals in this example the keytabs are in /etc/security/keytabs

# klist -kt /etc/security/keytabs/user1.keytab 
Keytab name: FILE:/etc/security/keytabs/user1.keytab 
KVNO                Timestamp                   Principal 
---- ------------------- ------------------------------------------------------ 
1                  07/18/2017 10:46:27         user1@TEST.COM 

Test the new user1 should try grabbing a kerberos ticket

# kinit -kt /etc/security/keytabs/user1.keytab user1@TEST.COM 

The below command should show athe validity of the kerbero ticket

# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: user1@TEST.COM 
Valid starting              Expires                         Service principal 
06/09/2017 10:53:48        06/10/2017 10:53:48              krbtgt/TEST.COM@TEST.COM

You should be okay now

View solution in original post

2 REPLIES 2

Mentor

@Sam Red

Assumption

KDC is running

KDC is created

KDC user and master password is available

REALM TEST.COM

Edgenode : for users

user is root or sudoer

To succeed you MUST give users access to your home directory 🙂 Not a good solution security wise ....If these are unix users then create the keytabs in e.g /tmp and later copy them to the respective home directories and make sure to change the correct permissions on the keytabs.

You will notice a node dedicated to users EDGE NODE, all client softwares are installed here and not on the data or name nodes!

# cd /tmp
# sudo kadmin.local
Authenticating as principal root/admin@TEST.COM with password.
kadmin.local:  addprinc user1@TEST.COM
WARNING: no policy specified for user1@TEST.COM; defaulting to no policy
Enter password for principal "user1@TEST.COM":
Re-enter password for principal "user1@TEST.COM":
Principal "user1@TEST.COM" created. 

-----do the same for all other user too ------

addprinc user2@TEST.COM 
addprinc user3@TEST.COM
addprinc usern@TEST.COM 

The keytabs with be generated in the current directory

# generate keytab for user1
##########################################
# sudo ktutil
ktutil:  addent -password -p user1@TEST.COM -k 1 -e RC4-HMAC
Password for user1@TEST.COM:
ktutil:  wkt user1.keytab
ktutil:  q 

You MUST repeat the above for all your users

# chown user1:user1 user1.keytab 

Again do the above for all users and copy the keytabs from the kdc to edgenode,

change the ownership of the respective keytabs

 # chown user1:user1 user1.keytab 

Validate the principals in this example the keytabs are in /etc/security/keytabs

# klist -kt /etc/security/keytabs/user1.keytab 
Keytab name: FILE:/etc/security/keytabs/user1.keytab 
KVNO                Timestamp                   Principal 
---- ------------------- ------------------------------------------------------ 
1                  07/18/2017 10:46:27         user1@TEST.COM 

Test the new user1 should try grabbing a kerberos ticket

# kinit -kt /etc/security/keytabs/user1.keytab user1@TEST.COM 

The below command should show athe validity of the kerbero ticket

# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: user1@TEST.COM 
Valid starting              Expires                         Service principal 
06/09/2017 10:53:48        06/10/2017 10:53:48              krbtgt/TEST.COM@TEST.COM

You should be okay now

View solution in original post

@Geoffrey Shelton Okot

Perfect Thank You.