Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How does Ambari create Principals and keytabs on AD as kerberos

Labels:
avatar
author-rank PranayV author-rank
Super Collaborator

Created ‎06-14-2016 03:18 PM

Hi,

How does Ambari create keytabs and principals when AD KDC is being used since kadmin command does not work?

is it programatically or through a script similar to kerberos_setup.py in ambari resources directory?

3,690 Views
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎06-14-2016 03:58 PM

@Pranay Vyas,

When enabling Kerberos, Ambari set to integrated with an MIT KDC, Active Directory, and soon FreeIPA. This setting allowing Ambari to interact with the specific KDC as needed.

In the case of Active Directory, Ambari uses the Active Directory's LDAP interface, via the LDAPS protocol. During the enable Kerberos workflow, the user needs to supply details about this interface (LDAPS URL, container DN, and administrative credentials). Ambari can also be configured to set certain properties on the accounts it creates while enabling Kerberos. Note that the protocol MUST be LDAPS since Active Directory requires a secure connection in order for a password to be set or updated on an account in the domain.

As part of this process, Ambari will internally create and distribute the keytab files that are needed. This can be done because Ambari generates and temporarily holds on to the passwords for each account it creates in the Active Directory. Once the process is complete, the passwords are lost and cannot be retrieved. However the keytab files will exist and be distributed, so the passwords are not needed.

View solution in original post

1,741 Views
3 REPLIES 3

avatar
author-rank sshimpi
Super Guru

Created ‎06-14-2016 03:32 PM

@Pranay Vyas Pls check this - http://hortonworks.com/blog/enabling-kerberos-hdp-active-directory-integration/

This is internally manager within script by ambari. You can check the process details on what command it executes when ambari tries to create principals for services.

1,741 Views

avatar
Former Member

Created ‎06-14-2016 03:49 PM

@Pranay Vyas

Are you looking out for the following java codes?

https://github.com/apache/ambari/tree/trunk/ambari-server/src/main/java/org/apache/ambari/server/ser...

Like:

https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/java/org/apache/ambari/server/ser...

and

https://github.com/apache/ambari/blob/trunk/ambari-server/src/main/java/org/apache/ambari/server/ser...

From Python side you can look at the following Script (Some functions like "def create_keytab_file(principal, path, auth_identity=None)"

/var/lib/ambari-server/resources/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py
1,741 Views

avatar
author-rank rlevas
Guru

Created ‎06-14-2016 03:58 PM

@Pranay Vyas,

When enabling Kerberos, Ambari set to integrated with an MIT KDC, Active Directory, and soon FreeIPA. This setting allowing Ambari to interact with the specific KDC as needed.

In the case of Active Directory, Ambari uses the Active Directory's LDAP interface, via the LDAPS protocol. During the enable Kerberos workflow, the user needs to supply details about this interface (LDAPS URL, container DN, and administrative credentials). Ambari can also be configured to set certain properties on the accounts it creates while enabling Kerberos. Note that the protocol MUST be LDAPS since Active Directory requires a secure connection in order for a password to be set or updated on an account in the domain.

As part of this process, Ambari will internally create and distribute the keytab files that are needed. This can be done because Ambari generates and temporarily holds on to the passwords for each account it creates in the Active Directory. Once the process is complete, the passwords are lost and cannot be retrieved. However the keytab files will exist and be distributed, so the passwords are not needed.

1,742 Views
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements