Support Questions
Find answers, ask questions, and share your expertise

cloudera service accounts

Hello, recently we installed cloudera 5.14 using cloudera manager and enabled kerberos(admin cloudera service account) with AD, Also integrated with safenet HSM. recently our audit team sent us the below service accounts saying these are Cloudera service accounts : Below accounts doesn't have any naming convention or description. I wonder does Cloudera has anything to do with these account creation?























Re: cloudera service accounts


During Kerberos setup with AD Cloudera creates some random accounts needed by some processes but that would be in the dedicated OU which you have mentioned while configuring Kerberos.

I am not sure if these accounts are staying in that OU. For more understanding how Active Directory Integration for Kerberos Authentication works in Cloudera you can refer below blog post, hope this will help you to identify the issue.

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Re: cloudera service accounts


problem is that these service accounts needs to be denied interactive login according to our organization policies since they don't have any description or owner. these kind of accounts might come up in auditing so we need to make them non-interactive. Is it okay to make them non-interactive? Will the Kerberos/Cloudera setup still be fine without any issues in the future?

Re: cloudera service accounts

all the service accounts created are in dedicated cloudera OU.

Re: cloudera service accounts



No, I am afraid you can not delete it as it is used by CM. 


@bgooley want to put more light into this?

Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Re: cloudera service accounts

we donot want to delete them , as of now they are interactive AD accounts but we want to make non-interactive as per our organization compliance policies.

Re: cloudera service accounts

Super Guru

@BiggieSmalls ,


Interesting... I just replied to this thread, but I couldn't see the most recent comments.  Sorry if my previous comment seemed out of place.


I don't know what is meant by making the accounts "inactive" but I don't think that will work for Cloudera Manager.

The credential objects created are needed for Kerberos authentication, so, that means they must be function for Kerberos in general.  I'm guessing that if the account is inactive, that will disable Kerberos authentication, too, thus impacting the cluster.


Find out what your company's criteria is for accounts that can operate as needed by CM.

If it would help with the security audit compliance, it is possible to make the accounts "computer" accounts by having Cloudera Manager create the objects while including the "computer" objectclass.  Confirm with your Active Directory audit team to verify that that would help... if so, then the following might help:


For example:




In Cloudera Manager, navigate to:

Adminsitration --> Settings --> Kerberos


Review Active Directory Account Properties that defaults to:






Active Directory Account Properties let's you add objectclasses.  To do so, you can change the value to:







*** NOTE:  If your AD account for CM to manage credentials does not have permission to delete objects in the base DN defined in Active Directory Suffix in your CM Kerberos configuration or Active Directory Delete Accounts on Credential Regeneration  is not enabled in the CM Kerberos configuration, then you will need to delete the objects manually in AD before continuing...


To have the change take effect:


- Shut down Cloudera Management Service and all your CDH services

- Regenerate Credentials by:

      - Navigating in CM to Administration --> Security --> Kerberos Credentials (subtab)

      - Checking the box next to the "Principals" column header (to select all credentials)

      - Click Regenerate Selected to regenerate all credentials.


- Verify that the objects were created with the "computer" objectclass (in Active Directory).



Re: cloudera service accounts

thanks for the insights @bgooley  @GangWar .

So making them non-interactive means we cannot login into a computer with the service account  but the account is  still be active in AD. So, what I want to know is Cloudera has created random accounts which are interactive i.e we can login to a machine using those accounts as a user, Can they be changed to non-interactive?

Re: cloudera service accounts

Super Guru

@BiggieSmalls ,


Oh man... guess I'm getting rusty with Windows concepts.

I agree that hadoop does not require the accounts to be interactive (be able to log into windows).  They are only necessary from the KDC (Kerberos) perspective so as long as they can still be used for Kerberos, that should work.


NOTE:  If you add new roles or new hosts, Cloudera will create new objects, so I'm not sure how you would want to anticipate that.

Re: cloudera service accounts


i , did you find a solution for that , i have the same request by audit team.