Support Questions

Find answers, ask questions, and share your expertise

keytab creation/KDC is AD

avatar
Rising Star

Hi,

We have Kerberos, AD as KDC. I want to generate the keytabs for service accounts.

kadmin -r <ad-domain> -p CN=kadmin,OU=Service Accounts,DC=xxxx,DC=xxxx,DC=com -w xxxxxxx -s ADSever kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface

Kindly Suggest if any solution??

Regards

Mamta Chawla

2 REPLIES 2

avatar
Super Collaborator

Hi @Mamta Chawla,

Prior to retive your keytabs form the host, you need to ensure that, host is prepared to connect to KDC.

by default the configuraton details can be found at /etc/krb5.conf file, so after installing the krb5-workstation (krb5-client in SLES).

[libdefaults]
 ticket_lifetime = 24000
 default_realm = <YOUR_REALM>
 dns_lookup_realm = false
 dns_lookup_kdc = false
 
[realms]
 <YOUR_REALM> = {
  kdc = <YOUR_AD_SERVER1>:88
  kdc = <YOUR_AD_SERVER2>:88
 }


 #######Replace exmple.com with your REALM Name


[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM


[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }
 

alter natively you can copy the same file from the host which is already configured for kerberos client.

once after that, you may use the above command to retrieve the keytabs.

however, please note that, you must have access to retrieve the keytabs from that host and user.

for additional details please follow the instructions given at : https://hortonworks.com/blog/enabling-kerberos-hdp-active-directory-integration/

for more on step by step instructions you may refer here

avatar
@Mamta Chawla

You cannot use the MIT Kerberos kadmin to create accounts in an Active Directory. That tool is only for use with the MIT KDC. To create accounts in an Active Directory, you will need to use Active Directory-specific tools. However, you can use a similar process that Ambari uses to create accounts in an Active Directory and then manually build the keytab files. This requires the use of the OpenLDAP ldapadd and ldapmodify tools as well as the ktutil command.

See https://community.hortonworks.com/articles/82544/how-to-create-ad-principal-accounts-using-openldap.....

On top of this, you will need to make sure your krb5.conf file is correct in order for you to test it out. The krb5.conf file is not needed to create the AD account if you are using LDAP to do the work.