Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Kerberized Clusters - Can you have multiple keytabs in AD using same principal name on different hosts.

avatar
Contributor

In our environment we are not able to use keytabs with same principal name on different servers. For example nifi-1-service-keytab with a principal name of nifi can only be used on server 1 even if the keytab is changed nifi-2-service-keytab. nifi-2-server-keytab cannot be used on different server with same principal name nifi in AD.

4 REPLIES 4

avatar
Expert Contributor

Please provide information on how you are generating and defining your keytabs.

try klist -k nifi-1-service-keytab

If you principals have HOST (machine name or IP) as part of the definition like xxxx/HOST_NAME@domain you will not be able to use the keytab on any other machine.

Renaming the keytab will not work as content of the file still point to a specific host.

It is best practice to have separate keytab for separate machines. Reusing the same keytab is not the most secure option.

Alternatively, if you define a principal in AD as headless that is without HOST attribute. And then create a keytab, that keytab can be used on any host typically this is your hdfs principal. But, not too secure.

avatar
Contributor

Hi Umair,

Our AD team created a headless keytab without HOST attribute and the keytab with same service account name with HOST attribute broke and the headless keytab doesn't work. What is the appropriate syntax for creating headless keytabs in AD? We created it as follows:

C:\Users\adminname>ktpass /princ serviceaccountname@domain.com /pass securepassword /mapuser serviceaccountname /pType KRB5_NT_PRINCIPA L /out serviceaccountname_headless.keytab Targeting domain controller: hostname.domain.com Failed to set property 'servicePrincipalName' to 'serviceaccountname' on Dn 'CN=serviceaccountname,OU=Hadoop,OU=Secure,OU=Secure,OU=Secure,DC=domain,DC=com': 0x13. WARNING: Unable to set SPN mapping data. If serviceaccountname already has an SPN mapping installed for serviceaccountname, this is no cause for concern. Password successfully set! Key created. Output keytab to serviceaccountname_headless.keytab: Keytab version: 0x502 keysize 57 serviceaccountname@domain.com ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x17 (RC4-HMAC) keylength 16 (A000000000000000000)

This is the error received when kiniting the headless keytab:

Keytab contains no suitable keys for serviceaccountname@domain.com while getting initial credentials.

avatar
Master Mentor

@Debra Montague

Make sure the encryption types are the same , also check that the KVNO (key version number) is the same !

See the syntax here Link

avatar
Contributor

Hi Geoffrey,

Is this the same for creating headless keytabs/principals? We are able to create keytabs with host attributes, the issue is using the same service name to create a headless account. Does the article you pointed to address this?

Thanks,