Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Kerberized Clusters - Can you have multiple keytabs in AD using same principal name on different hosts.

Highlighted

Kerberized Clusters - Can you have multiple keytabs in AD using same principal name on different hosts.

Explorer

In our environment we are not able to use keytabs with same principal name on different servers. For example nifi-1-service-keytab with a principal name of nifi can only be used on server 1 even if the keytab is changed nifi-2-service-keytab. nifi-2-server-keytab cannot be used on different server with same principal name nifi in AD.

4 REPLIES 4
Highlighted

Re: Kerberized Clusters - Can you have multiple keytabs in AD using same principal name on different hosts.

Expert Contributor

Please provide information on how you are generating and defining your keytabs.

try klist -k nifi-1-service-keytab

If you principals have HOST (machine name or IP) as part of the definition like xxxx/HOST_NAME@domain you will not be able to use the keytab on any other machine.

Renaming the keytab will not work as content of the file still point to a specific host.

It is best practice to have separate keytab for separate machines. Reusing the same keytab is not the most secure option.

Alternatively, if you define a principal in AD as headless that is without HOST attribute. And then create a keytab, that keytab can be used on any host typically this is your hdfs principal. But, not too secure.

Highlighted

Re: Kerberized Clusters - Can you have multiple keytabs in AD using same principal name on different hosts.

Explorer

Hi Umair,

Our AD team created a headless keytab without HOST attribute and the keytab with same service account name with HOST attribute broke and the headless keytab doesn't work. What is the appropriate syntax for creating headless keytabs in AD? We created it as follows:

C:\Users\adminname>ktpass /princ serviceaccountname@domain.com /pass securepassword /mapuser serviceaccountname /pType KRB5_NT_PRINCIPA L /out serviceaccountname_headless.keytab Targeting domain controller: hostname.domain.com Failed to set property 'servicePrincipalName' to 'serviceaccountname' on Dn 'CN=serviceaccountname,OU=Hadoop,OU=Secure,OU=Secure,OU=Secure,DC=domain,DC=com': 0x13. WARNING: Unable to set SPN mapping data. If serviceaccountname already has an SPN mapping installed for serviceaccountname, this is no cause for concern. Password successfully set! Key created. Output keytab to serviceaccountname_headless.keytab: Keytab version: 0x502 keysize 57 serviceaccountname@domain.com ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x17 (RC4-HMAC) keylength 16 (A000000000000000000)

This is the error received when kiniting the headless keytab:

Keytab contains no suitable keys for serviceaccountname@domain.com while getting initial credentials.

Highlighted

Re: Kerberized Clusters - Can you have multiple keytabs in AD using same principal name on different hosts.

Mentor

@Debra Montague

Make sure the encryption types are the same , also check that the KVNO (key version number) is the same !

See the syntax here Link

Highlighted

Re: Kerberized Clusters - Can you have multiple keytabs in AD using same principal name on different hosts.

Explorer

Hi Geoffrey,

Is this the same for creating headless keytabs/principals? We are able to create keytabs with host attributes, the issue is using the same service name to create a headless account. Does the article you pointed to address this?

Thanks,

Don't have an account?
Coming from Hortonworks? Activate your account here