Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

When principals are created in Active Directory during Kerberos installation (no local KDC), what password is used for each principal?

Solved Go to solution

When principals are created in Active Directory during Kerberos installation (no local KDC), what password is used for each principal?

Expert Contributor

A client asks this question "I see objects in AD. These objects are AD user objects with the password set to next expire. Do you know what default password is used on these accounts on the AD side?"

1 ACCEPTED SOLUTION

Accepted Solutions

Re: When principals are created in Active Directory during Kerberos installation (no local KDC), what password is used for each principal?

When Ambari creates passwords for accounts it generates a string of 20 characters chosen from a set of various character classes - uppercase characters, lowercase characters, digits, punctuation, and whitespace. A minimum number of instances of each character class can be configured to help meet password policies that might be applied to the KDC.

3 REPLIES 3

Re: When principals are created in Active Directory during Kerberos installation (no local KDC), what password is used for each principal?

Terry - Are you using Ambari Wizard for kerberizing the cluster? If so, passwords are randomly generated.

Here are the pointers to code that does it -

Password is generated here -

https://github.com/hortonworks/ambari/blob/d4edf4619c1c0bb309920ba86e66012a2a2e7090/ambari-server/sr...

The above function is called from here -

https://github.com/hortonworks/ambari/blob/d4edf4619c1c0bb309920ba86e66012a2a2e7090/ambari-server/sr...

And then passed to this method for creating principal in KDC / AD -

https://github.com/hortonworks/ambari/blob/8967ed9bc8967f6f6783c16f6403a3de0a0b2792/ambari-server/sr...

Re: When principals are created in Active Directory during Kerberos installation (no local KDC), what password is used for each principal?

When Ambari creates passwords for accounts it generates a string of 20 characters chosen from a set of various character classes - uppercase characters, lowercase characters, digits, punctuation, and whitespace. A minimum number of instances of each character class can be configured to help meet password policies that might be applied to the KDC.

Re: When principals are created in Active Directory during Kerberos installation (no local KDC), what password is used for each principal?

Guru

We'll be adding this information to the documentation for the Kerberos Wizard very soon: http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.0/bk_Ambari_Security_Guide/content/_launching_...

It's important to note that these principal password are note permanently persisted within Ambari. They are only used to populate the AD password fields, and generate the appropriate key tabs.

Don't have an account?
Coming from Hortonworks? Activate your account here