Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to create compatible keytabs and principals in Windows AD for manual Kerberos Configuration.

Highlighted

Re: How to create compatible keytabs and principals in Windows AD for manual Kerberos Configuration.

Contributor

@Robert Levas

Below did not work :(

[root@single tmp]# ldapadd -x -H ldap://ad01.dev.com:389 -D "adminuser99@dev.com" -W -f add_user_orig.ldif Enter LDAP Password: adding new entry "CN=HTTP/single.dev.com,OU=SingleDomain,DC=dev,DC=com" modifying entry "CN=HTTP/single.dev.com,OU=SingleDomain,DC=dev,DC=com" ldap_modify: Server is unwilling to perform (53) additional info: 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0

cat add_user_orig.ldif dn: CN=HTTP/single.dev.com,OU=SingleDomain,DC=dev,DC=com changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user distinguishedName: CN=HTTP/single.dev.com,OU=SingleDomain,DC=dev,DC=com cn: HTTP/single.dev.com userAccountControl: 514 accountExpires: 0 userPrincipalName: HTTP/single.dev.com@DEV.COM servicePrincipalName: HTTP/single.dev.com@DEV.COM dn: CN=HTTP/single.dev.com,OU=SingleDomain,DC=dev,DC=com changetype: modify replace: unicodePwd unicodePwd::IgBoAGEAZABvAG8AcABSAG8AYwBrAHMAMQAyADMAIQAiAA== dn: CN=HTTP/single.dev.com,OU=SingleDomain,DC=dev,DC=com changetype: modify replace: userAccountControl userAccountControl: 66048 [root@single tmp]#

Re: How to create compatible keytabs and principals in Windows AD for manual Kerberos Configuration.

The reason the ldapadd command failed is because you must use LDAPS rather than LDAP to perform this operation. It is an Active Directory requirement that when setting a password on an account the connection must be secure.

If you use LDAPS, the ldapadd command will want to verify the SSL certificate coming from the AD. To bypass this check, edit the /etc/openldap/ldap.conf file and update or add the following line:

TLS_REQCERT never

Re: How to create compatible keytabs and principals in Windows AD for manual Kerberos Configuration.

Contributor

@Robert Levas

I followed the other link provided by you on how to create principals and keytabs and I created for a single node but no luck :(

Globe is round, and I ran in to same issue.

Re: How to create compatible keytabs and principals in Windows AD for manual Kerberos Configuration.

So you created all the needed principals and keytab files for the node and set to access to the keytab files properly. What error are you getting now?

Re: How to create compatible keytabs and principals in Windows AD for manual Kerberos Configuration.

Contributor

@Robert Levas ... the initial error which is reported as the main subject is observed again.

Next time I used setspn command and everything went good...

Don't know where the mistake is...