Support Questions

Find answers, ask questions, and share your expertise

How does Ambari Create Service and User Principals and keytabs when Windows AD is used as KDC


How does Ambari automatically create service principals and user principals?

I am not an expert in Java and hence I would be greatly thankful to anyone who can point out the code in github or somewhere which provides me the commands used in the code to create service principals, user principals and keytabs when Windows AD is used as KDC

Thanks for your time



Ambari pretty much does what the following article shows - How to create AD principal accounts using OpenLdap utilities and adding it to a keytab.

Using the Active Directory's LDAP interface (via JNDI) an account is created with the relevant attributes set (same ones from the article). The password for the account is randomly generated by Ambari so it can internally create the keytab file for that account. Finally the keytab file is distributed to the relevant host(s).

The AD-specific logic to create the Kerberos principals is in the ADKerberosOperationHandler class. This extends the KerberosOperationHandler class which contains most of the logic used to create the keytab files.


@Robert Levas Thanks a lot for your help on this.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.