Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

keytab creation/KDC is AD

Labels:
avatar
author-rank colorsoflife
Rising Star

Created on ‎10-13-2017 11:32 PM - edited ‎09-16-2022 05:24 AM

Hi,

We have Kerberos, AD as KDC. I want to generate the keytabs for service accounts.

kadmin -r <ad-domain> -p CN=kadmin,OU=Service Accounts,DC=xxxx,DC=xxxx,DC=com -w xxxxxxx -s ADSever kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface

Kindly Suggest if any solution??

Regards

Mamta Chawla

11,537 Views
0 Kudos
2 REPLIES 2

avatar
author-rank bkosaraju
Super Collaborator

Created ‎10-14-2017 01:13 AM

Hi @Mamta Chawla,

Prior to retive your keytabs form the host, you need to ensure that, host is prepared to connect to KDC.

by default the configuraton details can be found at /etc/krb5.conf file, so after installing the krb5-workstation (krb5-client in SLES).

[libdefaults]
 ticket_lifetime = 24000
 default_realm = <YOUR_REALM>
 dns_lookup_realm = false
 dns_lookup_kdc = false
 
[realms]
 <YOUR_REALM> = {
  kdc = <YOUR_AD_SERVER1>:88
  kdc = <YOUR_AD_SERVER2>:88
 }


 #######Replace exmple.com with your REALM Name


[domain_realm]
 .example.com = EXAMPLE.COM
 example.com = EXAMPLE.COM


[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

alter natively you can copy the same file from the host which is already configured for kerberos client.

once after that, you may use the above command to retrieve the keytabs.

however, please note that, you must have access to retrieve the keytabs from that host and user.

for additional details please follow the instructions given at : https://hortonworks.com/blog/enabling-kerberos-hdp-active-directory-integration/

for more on step by step instructions you may refer here

9,377 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎10-14-2017 08:19 PM

@Mamta Chawla

You cannot use the MIT Kerberos kadmin to create accounts in an Active Directory. That tool is only for use with the MIT KDC. To create accounts in an Active Directory, you will need to use Active Directory-specific tools. However, you can use a similar process that Ambari uses to create accounts in an Active Directory and then manually build the keytab files. This requires the use of the OpenLDAP ldapadd and ldapmodify tools as well as the ktutil command.

See https://community.hortonworks.com/articles/82544/how-to-create-ad-principal-accounts-using-openldap.....

On top of this, you will need to make sure your krb5.conf file is correct in order for you to test it out. The krb5.conf file is not needed to create the AD account if you are using LDAP to do the work.

9,377 Views
Announcements
What's New @ Cloudera
Announcing Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
Announcing Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
Welcome to the Cloudera Community!
Community Announcements
September 2025 Community Highlights
What's New @ Cloudera
Upgrade Your Spark Experience: Introducing CDS 3.5 for Cloud...
View More Announcements