Using kadmin to Create Kerberos Keytab Files

If your version of Kerberos does not support the Kerberos -norandkey option in the xst command, or if you must use kadmin because you cannot use kadmin.local, then you can use the following procedure to create Kerberos keytab files. Using the -norandkey option when creating keytabs is optional and a convenience, but it is not required.

For instructions, see To create the Kerberos keytab files.

To create the Kerberos keytab files

Do the following steps for every host in your cluster, replacing the fully.qualified.domain.name in the commands with the fully qualified domain name of each host:

  1. Create the hdfs keytab file, which contains an entry for the hdfs principal. This keytab file is used for the NameNode, Secondary NameNode, and DataNodes.
    $ kadmin
    kadmin:  xst -k hdfs-unmerged.keytab hdfs/fully.qualified.domain.name
  2. Create the mapred keytab file, which contains an entry for the mapred principal. If you are using MRv1, the mapred keytab file is used for the JobTracker and TaskTrackers. If you are using YARN, the mapred keytab file is used for the MapReduce Job History Server.
    kadmin:  xst -k mapred-unmerged.keytab mapred/fully.qualified.domain.name
  3. YARN only: Create the yarn keytab file, which contains an entry for the yarn principal. This keytab file is used for the ResourceManager and NodeManager.
    kadmin:  xst -k yarn-unmerged.keytab yarn/fully.qualified.domain.name
  4. Create the http keytab file, which contains an entry for the HTTP principal.
    kadmin:  xst -k http.keytab HTTP/fully.qualified.domain.name
  5. Use the ktutil command to merge the previously-created keytabs:
    $ ktutil
    ktutil:  rkt hdfs-unmerged.keytab
    ktutil:  rkt http.keytab
    ktutil:  wkt hdfs.keytab
    ktutil:  clear
    ktutil:  rkt mapred-unmerged.keytab
    ktutil:  rkt http.keytab
    ktutil:  wkt mapred.keytab
    ktutil:  clear
    ktutil:  rkt yarn-unmerged.keytab
    ktutil:  rkt http.keytab
    ktutil:  wkt yarn.keytab

    This procedure creates three new files: hdfs.keytab, mapred.keytab and yarn.keytab. These files contain entries for the hdfs and HTTP principals, the mapred and HTTP principals, and the yarn and HTTP principals respectively.

  6. Use klist to display the keytab file entries. For example, a correctly-created hdfs keytab file should look something like this:
    $ klist -e -k -t hdfs.keytab
    Keytab name: WRFILE:hdfs.keytab
    slot KVNO Principal
    ---- ---- ---------------------------------------------------------------------
       1    7    HTTP/fully.qualified.domain.name@YOUR-REALM.COM (DES cbc mode with CRC-32)
       2    7    HTTP/fully.qualified.domain.name@YOUR-REALM.COM (Triple DES cbc mode with HMAC/sha1)
       3    7    hdfs/fully.qualified.domain.name@YOUR-REALM.COM (DES cbc mode with CRC-32)
       4    7    hdfs/fully.qualified.domain.name@YOUR-REALM.COM (Triple DES cbc mode with HMAC/sha1)
  7. To verify that you have performed the merge procedure correctly, make sure you can obtain credentials as both the hdfs and HTTP principals using the single merged keytab:
    $ kinit -k -t hdfs.keytab hdfs/fully.qualified.domain.name@YOUR-REALM.COM
    $ kinit -k -t hdfs.keytab HTTP/fully.qualified.domain.name@YOUR-REALM.COM

    If either of these commands fails with an error message such as "kinit: Key table entry not found while getting initial credentials", then something has gone wrong during the merge procedure. Go back to step 1 of this document and verify that you performed all the steps correctly.

  8. To continue the procedure of configuring Hadoop security in CDH 5, follow the instructions in the section To deploy the Kerberos keytab files.