Hello,
I'm not done with this issue, for information our HDP use a KDC hosted on an Active Directory wich is used for authenticatation. For security matters we wants to change HDP account passwords on a regular basis :
- When I click on "Kerberos/regenerate keytabs" everything is ok for 90% of the accounts (password is changed and keytab regenerated), but as stated in my first post for 10% of the accounts nothing is done, so I have to remove unmodified keytabs and click on "Only regenerate keytabs for missing hosts and components", the keytabs are regenerated but passwords for those accounts are not modified in the AD.
I've tried for the 10% accounts :
- to change password in AD, generate keytabs on the AD and push the keytabs on HDP boxes => keytabs are not recognized by HDP
- to change password in AD, generate keytabs on the HDP boxes and push the keytabs on HDP boxes => keytabs are not recognized by HDP (pre-authentication failed error message)
So my question is : how can I easily change all the HDP account passwords without breaking Kerberos authentication ?
The only working method I've found is to fully disable kerberos on the HDP cluster (to remove all accounts in the AD) and activate again kerberos on HDP cluster (which creates accounts in the AD with new passwords).
any help on this matter would be greatly appreciated.
regards,
