Step 3: Get or Create a Kerberos Principal for the Cloudera Manager Server

In order to create and deploy the host principals and keytabs on your cluster, the Cloudera Manager Server must have the correct Kerberos principal. Specifically, the Cloudera Manager Server must have a Kerberos principal that has privileges to create other accounts.

To get or create the Kerberos principal for the Cloudera Manager Server, you can do either of the following:
  • Ask your Kerberos administrator to create a Kerberos administrator principal for the Cloudera Manager Server.
  • Create the Kerberos principal for the Cloudera Manager Server yourself by using the following instructions in this step.

If for some reason, you cannot create a Cloudera Manager administrator principal on your KDC with the privileges to create other principals and keytabs for CDH services, then these will need to be created manually, and then retrieved by Cloudera Manager. See, Using a Custom Kerberos Keytab Retrieval Script.

Creating the Cloudera Manager Principal

The following instructions illustrate an example of creating the Cloudera Manager Server principal for MIT KDC and Active Directory KDC. (If you are using another version of Kerberos, refer to your Kerberos documentation for instructions.)

If you are using Active Directory:

  1. Create an Organizational Unit (OU) in your AD setup where all the principals used by your CDH cluster will reside.
  2. Add a new user account to Active Directory, for example, <username>@YOUR-REALM.COM. The password for this user should be set to never expire.
  3. Use AD's Delegate Control wizard to allow this new user to Create, Delete and Manage User Accounts.

If you are using MIT KDC:

Typically, principals with the second component of admin in the principal name (for example, username/admin@YOUR-LOCAL-REALM.com) have administrator privileges. This is why admin is shown in the following example.
In the kadmin.local or kadmin shell, type the following command to create the Cloudera Manager Server principal, replacing YOUR-LOCAL-REALM.COM with the name of your realm:
kadmin:  addprinc -pw <Password> cloudera-scm/admin@YOUR-LOCAL-REALM.COM