Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Is there any way to skip "create principal" and "create keytab" step in enable kerberos wizard while kerberizing the cluster?

avatar

Hi All,

We are trying to kerberize cluster using Centirfy with pre created AD Accounts and Keytabs . So far we are able kerberize with following approach.

  • Generate computer account in AD and centrify using APIs. [We can access AD or Centrify only through APIs].
  • Do “adjoin” after creating computer accounts in AD and CENTRIFY.
  • Create principals and keytabs for user and services in AD/Centrify
  • Place user and service keytabs on respective hosts in /etc/security/keytabs
  • From Ambari UI, Enable Security -> Existing Active Directory

But in reaches to point till creation of principal and gets failed. So, Is there any procedure which can skip procedure of "create principal" and "create keytabs", as it is already created and placed at respective hosts.

1 ACCEPTED SOLUTION

avatar

@Ajit Sonawane

There are a few articles on HCC related to enabling Kerberos using Ambari when Centrify is involved. For example:

However if you wish to have Ambari skip creating keytab files and principals, you can use the Enable Kerberos Wizard and choose the "manual" option. This will allow Ambari to configure the services while allowing you to manually manage the underlying Kerberos infrastructure and identities (principals and keytab files).

View solution in original post

4 REPLIES 4

avatar

@Ajit Sonawane

There are a few articles on HCC related to enabling Kerberos using Ambari when Centrify is involved. For example:

However if you wish to have Ambari skip creating keytab files and principals, you can use the Enable Kerberos Wizard and choose the "manual" option. This will allow Ambari to configure the services while allowing you to manually manage the underlying Kerberos infrastructure and identities (principals and keytab files).

avatar

Thanks Robert for your quick reply.

Is there any REST API or Ambari Blueprint option which supports "Manual " way of kerberization.

avatar

You can specify that you do not want Ambari to manage the underlying Kerberos infrastructure (MIT Kerberos library, kb5.conf, principals, and keytab files) using the API or Blueprints by setting the following configurations:

kerberos-env/kdc_type = "none"
kerberos-env/manage_identities = false
kerberos-env/install_packages = false
krb5-conf/manage_krb5_conf = false

Technically, you can pick and choose which features you want Ambari to, or not to handle; but the above setting are what the UI sets when you choose the "manual" option.

See https://github.com/apache/ambari/blob/trunk/ambari-server/docs/security/kerberos/enabling_kerberos.m... for more information on using the API to enable Kerberos.

avatar

Thanks @Robert Levas, problem solved with your solution.