Support Questions

Find answers, ask questions, and share your expertise

How does Ambari create Principals and keytabs on AD as kerberos

avatar
Super Collaborator

Hi,

How does Ambari create keytabs and principals when AD KDC is being used since kadmin command does not work?

is it programatically or through a script similar to kerberos_setup.py in ambari resources directory?

1 ACCEPTED SOLUTION

avatar

@Pranay Vyas,

When enabling Kerberos, Ambari set to integrated with an MIT KDC, Active Directory, and soon FreeIPA. This setting allowing Ambari to interact with the specific KDC as needed.

In the case of Active Directory, Ambari uses the Active Directory's LDAP interface, via the LDAPS protocol. During the enable Kerberos workflow, the user needs to supply details about this interface (LDAPS URL, container DN, and administrative credentials). Ambari can also be configured to set certain properties on the accounts it creates while enabling Kerberos. Note that the protocol MUST be LDAPS since Active Directory requires a secure connection in order for a password to be set or updated on an account in the domain.

As part of this process, Ambari will internally create and distribute the keytab files that are needed. This can be done because Ambari generates and temporarily holds on to the passwords for each account it creates in the Active Directory. Once the process is complete, the passwords are lost and cannot be retrieved. However the keytab files will exist and be distributed, so the passwords are not needed.

View solution in original post

3 REPLIES 3

avatar
Super Guru

@Pranay Vyas Pls check this - http://hortonworks.com/blog/enabling-kerberos-hdp-active-directory-integration/

This is internally manager within script by ambari. You can check the process details on what command it executes when ambari tries to create principals for services.

avatar

@Pranay Vyas

Are you looking out for the following java codes?

https://github.com/apache/ambari/tree/trunk/ambari-server/src/main/java/org/apache/ambari/server/ser...

Like:

https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/java/org/apache/ambari/server/ser...

and

https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/java/org/apache/ambari/server/ser...

From Python side you can look at the following Script (Some functions like "def create_keytab_file(principal, path, auth_identity=None)"

/var/lib/ambari-server/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py

avatar

@Pranay Vyas,

When enabling Kerberos, Ambari set to integrated with an MIT KDC, Active Directory, and soon FreeIPA. This setting allowing Ambari to interact with the specific KDC as needed.

In the case of Active Directory, Ambari uses the Active Directory's LDAP interface, via the LDAPS protocol. During the enable Kerberos workflow, the user needs to supply details about this interface (LDAPS URL, container DN, and administrative credentials). Ambari can also be configured to set certain properties on the accounts it creates while enabling Kerberos. Note that the protocol MUST be LDAPS since Active Directory requires a secure connection in order for a password to be set or updated on an account in the domain.

As part of this process, Ambari will internally create and distribute the keytab files that are needed. This can be done because Ambari generates and temporarily holds on to the passwords for each account it creates in the Active Directory. Once the process is complete, the passwords are lost and cannot be retrieved. However the keytab files will exist and be distributed, so the passwords are not needed.