Created 06-14-2016 03:18 PM
Hi,
How does Ambari create keytabs and principals when AD KDC is being used since kadmin command does not work?
is it programatically or through a script similar to kerberos_setup.py in ambari resources directory?
Created 06-14-2016 03:58 PM
When enabling Kerberos, Ambari set to integrated with an MIT KDC, Active Directory, and soon FreeIPA. This setting allowing Ambari to interact with the specific KDC as needed.
In the case of Active Directory, Ambari uses the Active Directory's LDAP interface, via the LDAPS protocol. During the enable Kerberos workflow, the user needs to supply details about this interface (LDAPS URL, container DN, and administrative credentials). Ambari can also be configured to set certain properties on the accounts it creates while enabling Kerberos. Note that the protocol MUST be LDAPS since Active Directory requires a secure connection in order for a password to be set or updated on an account in the domain.
As part of this process, Ambari will internally create and distribute the keytab files that are needed. This can be done because Ambari generates and temporarily holds on to the passwords for each account it creates in the Active Directory. Once the process is complete, the passwords are lost and cannot be retrieved. However the keytab files will exist and be distributed, so the passwords are not needed.
Created 06-14-2016 03:32 PM
@Pranay Vyas Pls check this - http://hortonworks.com/blog/enabling-kerberos-hdp-active-directory-integration/
This is internally manager within script by ambari. You can check the process details on what command it executes when ambari tries to create principals for services.
Created 06-14-2016 03:49 PM
Are you looking out for the following java codes?
Like:
and
From Python side you can look at the following Script (Some functions like "def create_keytab_file(principal, path, auth_identity=None)"
/var/lib/ambari-server/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py
Created 06-14-2016 03:58 PM
When enabling Kerberos, Ambari set to integrated with an MIT KDC, Active Directory, and soon FreeIPA. This setting allowing Ambari to interact with the specific KDC as needed.
In the case of Active Directory, Ambari uses the Active Directory's LDAP interface, via the LDAPS protocol. During the enable Kerberos workflow, the user needs to supply details about this interface (LDAPS URL, container DN, and administrative credentials). Ambari can also be configured to set certain properties on the accounts it creates while enabling Kerberos. Note that the protocol MUST be LDAPS since Active Directory requires a secure connection in order for a password to be set or updated on an account in the domain.
As part of this process, Ambari will internally create and distribute the keytab files that are needed. This can be done because Ambari generates and temporarily holds on to the passwords for each account it creates in the Active Directory. Once the process is complete, the passwords are lost and cannot be retrieved. However the keytab files will exist and be distributed, so the passwords are not needed.