Home

Creating Active Directory Kerberos principals and keytabs for Unravel

  1. Define HOST Variable for Unravel Server as an FQDN.

    (Replace UNRAVEL_HOST with your host's FQDN):

    HOST=UNRAVEL_HOST
  2. Define the REALM Variable.

    (Use upper case for all; replace EXAMPLEDOTCOM with your realm):

    REALM=EXAMPLEDOTCOM
  3. Create the Active Directory (AD) Kerberos Principals and Keytabs.

    Use the two variables you defined above to replace the red text.

    1. Verify that the Unravel Server host is running ntpd service and that time is accurate.

    2. For proper Kerberos operation with AD-KDC, DNS entries, including reverse DNS entries, must be in place.

    3. On AD server, logged in as AD Administrator, add two Managed Service Accounts unravel and hdfs:

      1. Open the Active Directory Users and Computers snap-in.

      2. Confirm that the Managed Service Account container exists under the target REALM.

      3. Right-click the Managed Service Account container and choose New->User.

      4. Set names (unravel and hdfs) to account in the first screen and click Next.

      5. Set a strong password for the account (the password won't be used) and:

        1. Check Password never expires.

        2. Uncheck Password must be changed.

        3. Check Password cannot be changed.

      6. Right-click the created user, choose Properties, and select the Account tab.

      7. In the Account Options panel, check Kerberos AES256-SHA1.

    4. On AD server, logged in as AD Administrator, create the Service Principal Names:

      Run these commands in a cmd or powershell console.

      setspn -A unravel/HOST unravel 
      setspn -A hdfs/HOST hdfs 
    5. On AD server, logged in as AD Administrator, generate keytab files that Unravel Server will use to authenticate with Kerberos using the ktpass utility in Active Directory.

      ktpass -princ unravel/HOST@REALM-mapUser unravel -TargetREALM+rndPass -out unravel.keytab -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 
      ktpass -princ hdfs/HOST@REALM-mapUser hdfs -TargetREALM+rndPass -out hdfs.keytab -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1  
    6. Copy the two keytabs (unravel.keytab and hdfs.keytab) from AD server to the Unravel Server at HOST into /etc/keytabs/ (create the destination directory if need be) and then run these commands.

      sudo chmod 700 /etc/keytabs/*
      sudo chown unravel:unravel /etc/keytabs/unravel.keytab
      sudo chown hdfs:hdfs /etc/keytabs/hdfs.keytab 

Assurances: hdfs.keytab is only usable on Unravel Server and is only used to access HDFS log files and Hive Metastore (if applicable).