Generate a Kerberos authentication keytab in a Hadoop cluster

Access the cluster by SSHKerberos logo

ssh user_name@server_cluster_name

Authentication in the Shell

Kinit user_name@REINO.COM

If authentication is successful, we will receive a ticket-granding ticket (TGT) from the KDC. This means that we have authenticated with the server, but we have not yet received permission to access any service.

Browse ticket cache To verify that we have received the TGT

klist
Result: Valid starting expires Service Principal
08/13/18 12:39:45 08/13/18 22:39:59 krbtgt/REINO.COM@REINO.COM
Renew until 08/20/18 12:39:45

Creating keytab on the server:

1. Access the Ktutils service

/usr/sbin/ktutil

2. Execute the following commands that discharge the most used encodings

add_entry -password -p user_name@REINO.COM -k 1 -e aes256-cts-hmac-sha1-96
add_entry -password -p user_name@REINO.COM -k 1 -e aes128-cts-hmac-sha1-96
wkt /home/keytab_name.keytab

Copy the generated keytab to the local server

scp  user_name@:server_cluster_name/home/keytab_name.keytab /home

Increase permissions to avoid problems

chmod 777 keytab_name.keytab

Finally move the generated keytab to the server where you want to authenticate the service, depending on the service is necessary to further copy certain configuration files of the following:

  • Core-site. XML: Describes the format and configuration for the core.
  • HDFS-Site. XML: Describes the format and configuration for HDFS
  • YARN-Site. XML: Describes the format and configuration for YAR.
  • krb5. conf: Describes the format and settings for the Kerberos V5 library.
  • KDC. conf: Describes the format and configuration for Kerberos V5 AS and KDC.