Support Questions

cjervis · ‎08-19-2019

Need to know how to differentiate headless and service keytab.. any specific commands

jsensharma · ‎09-27-2019

Was your query answered? If your question is answered then, Please make sure to mark the answer as the accepted solution.

If you find a reply useful, say thanks by clicking on the thumbs up button.

Please revert back if you have any followup query in this thread. That way we can find the solution/answer that way other community users can get the benefit.

View solution in original post

irfangk1 · ‎09-29-2019

Yes

View solution in original post

jsensharma · ‎08-19-2019

@irfangk1

From Standard Kerberos perspective there is no command to differentiate between headless/service keytab.

However, we can differentiate between headless / service keytabs you can find the detailed discussion about it in the following thread:
https://community.cloudera.com/t5/Support-Questions/Headless-Keytab-Vs-User-Keytab-Vs-Service-Keytab...

Try running the following command on your keytab:

Headless keytab

Headless principals are not bound to a specific host or node, they have the syntax: - @EXAMPLE.COM

# klist -kte /etc/security/keytabs/hdfs.headless.keytab 
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 08/11/2019 01:58:27 hdfs-ker1latest@EXAMPLE.COM (des-cbc-md5) 
   2 08/11/2019 01:58:27 hdfs-ker1latest@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 
   2 08/11/2019 01:58:27 hdfs-ker1latest@EXAMPLE.COM (des3-cbc-sha1) 
   2 08/11/2019 01:58:27 hdfs-ker1latest@EXAMPLE.COM (arcfour-hmac) 
   2 08/11/2019 01:58:27 hdfs-ker1latest@EXAMPLE.COM (aes128-cts-hmac-sha1-96)

If it is truly a headless keytab then it will not have a principal specific to a Host.

Service keytab

Service principal is something that does not need to be a POSIX user,they are mostly applications that have own arrangement on how they run on the OS level and need to interact with the Kerberized cluster. Notice it's principal name has hostname included.
Example:

# klist -kte /etc/security/keytabs/nn.service.keytab 
Keytab name: FILE:/etc/security/keytabs/nn.service.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 08/11/2019 01:58:40 nn/ker1latest1.example.com@EXAMPLE.COM (des-cbc-md5) 
   2 08/11/2019 01:58:40 nn/ker1latest1.example.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 
   2 08/11/2019 01:58:40 nn/ker1latest1.example.com@EXAMPLE.COM (des3-cbc-sha1) 
   2 08/11/2019 01:58:40 nn/ker1latest1.example.com@EXAMPLE.COM (arcfour-hmac) 
   2 08/11/2019 01:58:40 nn/ker1latest1.example.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96)

.

jsensharma · ‎08-19-2019

@irfangk1
You can find more details about headless / service principals/keytabs in the following doc:
https://docs.hortonworks.com/HDPDocuments/HDP3/HDP-3.1.0/authentication-with-kerberos/content/kerber...

jsensharma · ‎09-27-2019

@irfangk1

Was your query answered? If your question is answered then, Please make sure to mark the answer as the accepted solution.

If you find a reply useful, say thanks by clicking on the thumbs up button.

Please revert back if you have any followup query in this thread. That way we can find the solution/answer that way other community users can get the benefit.

irfangk1 · ‎09-29-2019

Yes

Cloudera Community

Support Questions

how to find which keytab is it headless and it is service keytab

Headless Keytab Vs User Keytab Vs Service Keytab

Regenerating Kerberos Keytabs from Ambari API

HDP 3.1 : missing keytabs when regenerating keytab...

Manual Keytab / Principal creation for IPA to supp...

Location of keytab files

Creating a local hadoop principal and keytab in a...

Why does Ambari use headless keytab for Spark hist...

Regenerate Kerberos Keytab for a particular servic...

Kerberos ticket expired ( kinit keytab successfull...

How to create AD principal accounts using OpenLdap...