Support Questions

Hello, 

problem is that these service accounts needs to be denied interactive login according to our organization policies since they don't have any description or owner. these kind of accounts might come up in auditing so we need to make them non-interactive. Is it okay to make them non-interactive? Will the Kerberos/Cloudera setup still be fine without any issues in the future?

@BiggieSmalls 

No, I am afraid you can not delete it as it is used by CM. 

@bgooley want to put more light into this?

we donot want to delete them , as of now they are interactive AD accounts but we want to make non-interactive as per our organization compliance policies.

@BiggieSmalls ,

Interesting... I just replied to this thread, but I couldn't see the most recent comments.  Sorry if my previous comment seemed out of place.

I don't know what is meant by making the accounts "inactive" but I don't think that will work for Cloudera Manager.

The credential objects created are needed for Kerberos authentication, so, that means they must be function for Kerberos in general.  I'm guessing that if the account is inactive, that will disable Kerberos authentication, too, thus impacting the cluster.

Find out what your company's criteria is for accounts that can operate as needed by CM.

If it would help with the security audit compliance, it is possible to make the accounts "computer" accounts by having Cloudera Manager create the objects while including the "computer" objectclass.  Confirm with your Active Directory audit team to verify that that would help... if so, then the following might help:

For example:

(1)

In Cloudera Manager, navigate to:

Adminsitration --> Settings --> Kerberos

Review Active Directory Account Properties that defaults to:

accountExpires=0,objectClass=top,objectClass=person,objectClass=organizationalPerson,objectClass=user

(2)

Active Directory Account Properties let's you add objectclasses.  To do so, you can change the value to:

accountExpires=0,objectClass=top,objectClass=person,objectClass=organizationalPerson,objectClass=user,objectClass=computer

Save

(3)

*** NOTE:  If your AD account for CM to manage credentials does not have permission to delete objects in the base DN defined in Active Directory Suffix in your CM Kerberos configuration or Active Directory Delete Accounts on Credential Regeneration  is not enabled in the CM Kerberos configuration, then you will need to delete the objects manually in AD before continuing...

To have the change take effect:

- Shut down Cloudera Management Service and all your CDH services

- Regenerate Credentials by:

      - Navigating in CM to Administration --> Security --> Kerberos Credentials (subtab)

      - Checking the box next to the "Principals" column header (to select all credentials)

      - Click Regenerate Selected to regenerate all credentials.

- Verify that the objects were created with the "computer" objectclass (in Active Directory).

thanks for the insights @bgooley  @GangWar .

So making them non-interactive means we cannot login into a computer with the service account  but the account is  still be active in AD. So, what I want to know is Cloudera has created random accounts which are interactive i.e we can login to a machine using those accounts as a user, Can they be changed to non-interactive?

@BiggieSmalls ,

Oh man... guess I'm getting rusty with Windows concepts.

I agree that hadoop does not require the accounts to be interactive (be able to log into windows).  They are only necessary from the KDC (Kerberos) perspective so as long as they can still be used for Kerberos, that should work.

NOTE:  If you add new roles or new hosts, Cloudera will create new objects, so I'm not sure how you would want to anticipate that.

i , did you find a solution for that , i have the same request by audit team.