Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Is there any way to skip "create principal" and "create keytab" step in enable kerberos wizard while kerberizing the cluster?

Solved Go to solution
Highlighted

Is there any way to skip "create principal" and "create keytab" step in enable kerberos wizard while kerberizing the cluster?

New Contributor

Hi All,

We are trying to kerberize cluster using Centirfy with pre created AD Accounts and Keytabs . So far we are able kerberize with following approach.

  • Generate computer account in AD and centrify using APIs. [We can access AD or Centrify only through APIs].
  • Do “adjoin” after creating computer accounts in AD and CENTRIFY.
  • Create principals and keytabs for user and services in AD/Centrify
  • Place user and service keytabs on respective hosts in /etc/security/keytabs
  • From Ambari UI, Enable Security -> Existing Active Directory

But in reaches to point till creation of principal and gets failed. So, Is there any procedure which can skip procedure of "create principal" and "create keytabs", as it is already created and placed at respective hosts.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Is there any way to skip "create principal" and "create keytab" step in enable kerberos wizard while kerberizing the cluster?

@Ajit Sonawane

There are a few articles on HCC related to enabling Kerberos using Ambari when Centrify is involved. For example:

However if you wish to have Ambari skip creating keytab files and principals, you can use the Enable Kerberos Wizard and choose the "manual" option. This will allow Ambari to configure the services while allowing you to manually manage the underlying Kerberos infrastructure and identities (principals and keytab files).

4 REPLIES 4

Re: Is there any way to skip "create principal" and "create keytab" step in enable kerberos wizard while kerberizing the cluster?

@Ajit Sonawane

There are a few articles on HCC related to enabling Kerberos using Ambari when Centrify is involved. For example:

However if you wish to have Ambari skip creating keytab files and principals, you can use the Enable Kerberos Wizard and choose the "manual" option. This will allow Ambari to configure the services while allowing you to manually manage the underlying Kerberos infrastructure and identities (principals and keytab files).

Re: Is there any way to skip "create principal" and "create keytab" step in enable kerberos wizard while kerberizing the cluster?

New Contributor

Thanks Robert for your quick reply.

Is there any REST API or Ambari Blueprint option which supports "Manual " way of kerberization.

Re: Is there any way to skip "create principal" and "create keytab" step in enable kerberos wizard while kerberizing the cluster?

You can specify that you do not want Ambari to manage the underlying Kerberos infrastructure (MIT Kerberos library, kb5.conf, principals, and keytab files) using the API or Blueprints by setting the following configurations:

kerberos-env/kdc_type = "none"
kerberos-env/manage_identities = false
kerberos-env/install_packages = false
krb5-conf/manage_krb5_conf = false

Technically, you can pick and choose which features you want Ambari to, or not to handle; but the above setting are what the UI sets when you choose the "manual" option.

See https://github.com/apache/ambari/blob/trunk/ambari-server/docs/security/kerberos/enabling_kerberos.m... for more information on using the API to enable Kerberos.

Re: Is there any way to skip "create principal" and "create keytab" step in enable kerberos wizard while kerberizing the cluster?

New Contributor

Thanks @Robert Levas, problem solved with your solution.

Don't have an account?
Coming from Hortonworks? Activate your account here