Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Script used to generate AD accounts during kerberos setup

Labels:
avatar
author-rank coolgags
Explorer

Created on ‎09-18-2018 10:35 AM - edited ‎09-16-2022 06:43 AM

Dear Team,

Can you be so kind to help me with the location of script which creates AD accounts during automated kerberos setup via ambari. (AD team wants to review before giving us write access)

I looked at /var/lib/ambari-server/resources/scripts/kerberos_setup.sh but could not understand where we create and delete AD users.

Thanks and Best Regards,

Gagan

1,774 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎09-18-2018 01:23 PM

@Gagandeep Singh Chawla

I do not believe that an AD-specific script is provided with Ambari; however some of the Hortonworks support or professional services folks may have something.

The provided script may be out of date and is geared towards the MIT KDC. It will not work with an Active Directory. Active Directory would prefer that all account creation and keytab export routines be executed on the Windows server, itself. However, since AD has an LDAP interface that can be used to add new objects to the database, Ambari is able to create principals and set password. Thus giving it the ability to automate creating principals and keytab files remotely - the keytab files are actually generated by Ambari and not exported from the AD.

If you are looking for steps on how Ambari does this, take a look at the HCC article How to create AD principal accounts using OpenLdap utilities and adding it to a keytab. This is not exactly what Ambari does, but it is really close. Using details from that article, I can imagine that a script can be built to read an Ambari-provided CSV file and create the needed principals and keytab files.

View solution in original post

1,694 Views
2 REPLIES 2

avatar
author-rank rlevas
Guru

Created ‎09-18-2018 01:23 PM

@Gagandeep Singh Chawla

I do not believe that an AD-specific script is provided with Ambari; however some of the Hortonworks support or professional services folks may have something.

The provided script may be out of date and is geared towards the MIT KDC. It will not work with an Active Directory. Active Directory would prefer that all account creation and keytab export routines be executed on the Windows server, itself. However, since AD has an LDAP interface that can be used to add new objects to the database, Ambari is able to create principals and set password. Thus giving it the ability to automate creating principals and keytab files remotely - the keytab files are actually generated by Ambari and not exported from the AD.

If you are looking for steps on how Ambari does this, take a look at the HCC article How to create AD principal accounts using OpenLdap utilities and adding it to a keytab. This is not exactly what Ambari does, but it is really close. Using details from that article, I can imagine that a script can be built to read an Ambari-provided CSV file and create the needed principals and keytab files.

1,695 Views

avatar
author-rank coolgags
Explorer

Created ‎09-19-2018 08:15 AM

Thanks for the detailed answer, it is very helpful! BR//Gagan

1,694 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements