Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

how to find which keytab is it headless and it is service keytab

Labels:
avatar
author-rank irfangk1
Contributor

Created on ‎08-19-2019 09:07 PM - last edited on ‎08-20-2019 06:17 AM by Community Manager Community Manager

Need to know how to differentiate headless and service keytab.. any specific commands

1,904 Views
0 Kudos
2 ACCEPTED SOLUTIONS

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎09-27-2019 05:20 AM

@irfangk1 

 

Was your query answered?  If your question is answered then, Please make sure to mark the answer as the accepted solution.

If you find a reply useful, say thanks by clicking on the thumbs up button.

Please revert back if you have any followup query in this thread. That way we can find the solution/answer that way other community users can get the benefit.

View solution in original post

1,853 Views
0 Kudos

avatar
author-rank irfangk1
Contributor

Created ‎09-29-2019 09:10 PM

Yes

View solution in original post

1,843 Views
0 Kudos
4 REPLIES 4

avatar
author-rank jsensharma author-rank
Master Mentor

Created on ‎08-19-2019 09:34 PM - edited ‎08-19-2019 09:38 PM

@irfangk1 

From Standard Kerberos perspective there is no command to differentiate between headless/service keytab. 

However, we can differentiate between headless / service keytabs  you can find the detailed discussion about it in the following thread: 
https://community.cloudera.com/t5/Support-Questions/Headless-Keytab-Vs-User-Keytab-Vs-Service-Keytab...

Try running the following command on your keytab:

Headless keytab

Headless principals are not bound to a specific host or node, they have the syntax: - @EXAMPLE.COM

 

# klist -kte /etc/security/keytabs/hdfs.headless.keytab 
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 08/11/2019 01:58:27 hdfs-ker1latest@EXAMPLE.COM (des-cbc-md5) 
   2 08/11/2019 01:58:27 hdfs-ker1latest@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 
   2 08/11/2019 01:58:27 hdfs-ker1latest@EXAMPLE.COM (des3-cbc-sha1) 
   2 08/11/2019 01:58:27 hdfs-ker1latest@EXAMPLE.COM (arcfour-hmac) 
   2 08/11/2019 01:58:27 hdfs-ker1latest@EXAMPLE.COM (aes128-cts-hmac-sha1-96)

 

If it is truly a headless keytab then it will not have a principal specific to a Host.

 

Service keytab

Service principal is something that does not need to be a POSIX user,they are mostly applications that have own arrangement on how they run on the OS level and need to interact with the Kerberized cluster. Notice it's principal name has hostname included.
Example:

# klist -kte /etc/security/keytabs/nn.service.keytab 
Keytab name: FILE:/etc/security/keytabs/nn.service.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 08/11/2019 01:58:40 nn/ker1latest1.example.com@EXAMPLE.COM (des-cbc-md5) 
   2 08/11/2019 01:58:40 nn/ker1latest1.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 
   2 08/11/2019 01:58:40 nn/ker1latest1.example.com@EXAMPLE.COM (des3-cbc-sha1) 
   2 08/11/2019 01:58:40 nn/ker1latest1.example.com@EXAMPLE.COM (arcfour-hmac) 
   2 08/11/2019 01:58:40 nn/ker1latest1.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)

 

.

1,898 Views
0 Kudos

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎08-19-2019 09:42 PM

@irfangk1 
You can find more details about headless / service principals/keytabs in the following doc: 
https://docs.hortonworks.com/HDPDocuments/HDP3/HDP-3.1.0/authentication-with-kerberos/content/kerber...

1,894 Views
0 Kudos

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎09-27-2019 05:20 AM

@irfangk1 

 

Was your query answered?  If your question is answered then, Please make sure to mark the answer as the accepted solution.

If you find a reply useful, say thanks by clicking on the thumbs up button.

Please revert back if you have any followup query in this thread. That way we can find the solution/answer that way other community users can get the benefit.

1,854 Views
0 Kudos

avatar
author-rank irfangk1
Contributor

Created ‎09-29-2019 09:10 PM

Yes

1,844 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements