Support Questions
Find answers, ask questions, and share your expertise

Headless Kerberos tickets for interactive users of Hadoop cluster

New Contributor

I have a Hadoop HDP 2.6.3 cluster which uses the company's Active Directory as Kerberos realm. The nodes and the end-user Linux workstations are all Ubuntu 16.04. They are joined to the same domain using PowerBroker PBIS, so SSH logons between the workstations and the grid nodes are passwordless. End-users run long-running scripts from their workstations, which repeatedly use SSH to first launch Spark / Yarn jobs on the cluster, and then keep track of their progress, which have to keep running overnight and on weekends well beyond the 10-hour lifetime of a Kerberos ticket. I'm looking for a way to install permanent, service-style, Kerberos keytabs for the users, relieving them of the need to deal with kinit. I do understand this would imply anyone with shell access to the grid as a particular user would be able to authenticate as that user.

I've seen the instructions in the documentation, however I'm not able to start neither kadmin nor kadmin.local. Can I use kadmin.local to create keytabs for principals defined in the Active Directory domain? How should I launch it on a setup like mine?

I've also noticed that performing non-SSO SSH logins using password automatically creates net ticket valid from the time of the login. If this behaviour could be enabled for SSO logins, that would solve my problem