Creating Active Directory Kerberos principals and keytabs for Unravel
Define HOST Variable for Unravel Server as an FQDN.
(Replace
UNRAVEL_HOST
with your host's FQDN):HOST=
UNRAVEL_HOST
Define the REALM Variable.
(Use upper case for all; replace
EXAMPLEDOTCOM
with your realm):REALM=
EXAMPLEDOTCOM
Create the Active Directory (AD) Kerberos Principals and Keytabs.
Use the two variables you defined above to replace the red text.
Verify that the Unravel Server host is running ntpd service and that time is accurate.
For proper Kerberos operation with AD-KDC, DNS entries, including reverse DNS entries, must be in place.
On AD server, logged in as AD Administrator, add two Managed Service Accounts
unravel
andhdfs
:Open the Active Directory Users and Computers snap-in.
Confirm that the Managed Service Account container exists under the target
REALM
.Right-click the Managed Service Account container and choose New->User.
Set names (
unravel
andhdfs
) to account in the first screen and click Next.Set a strong password for the account (the password won't be used) and:
Check Password never expires.
Uncheck Password must be changed.
Check Password cannot be changed.
Right-click the created user, choose Properties, and select the Account tab.
In the Account Options panel, check Kerberos AES256-SHA1.
On AD server, logged in as AD Administrator, create the Service Principal Names:
Run these commands in a
cmd
orpowershell
console.setspn -A unravel/
HOST
unravel setspn -A hdfs/HOST
hdfsOn AD server, logged in as AD Administrator, generate keytab files that Unravel Server will use to authenticate with Kerberos using the
ktpass
utility in Active Directory.ktpass -princ unravel/
HOST
@REALM
-mapUser unravel -TargetREALM
+rndPass -out unravel.keytab -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 ktpass -princ hdfs/HOST
@REALM
-mapUser hdfs -TargetREALM
+rndPass -out hdfs.keytab -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1Copy the two keytabs (
unravel.keytab
andhdfs.keytab
) from AD server to the Unravel Server at HOST into/etc/keytabs/
(create the destination directory if need be) and then run these commands.sudo chmod 700 /etc/keytabs/* sudo chown unravel:unravel /etc/keytabs/unravel.keytab sudo chown hdfs:hdfs /etc/keytabs/hdfs.keytab
Assurances: hdfs.keytab
is only usable on Unravel Server and is only used to access HDFS log files and Hive Metastore (if applicable).