Step 3: Create the Kerberos Principal for Cloudera Manager Server
At the end of the integration process using the configuration wizard, Cloudera Manager Server will create and deploy host principals and keytabs for all services configured on the cluster, which means that Cloudera Manager Server needs its own principal and have privileges to create these other accounts.
If an administrator principal to act on behalf of Cloudera Manager cannot be created on the Kerberos KDC for whatever reason, Cloudera Manager will not be able to create or manage principals and keytabs for CDH services. That means these principals must be created manually on the Kerberos KDC and then imported (retrieved) by Cloudera Manager. See Using a Custom Kerberos Keytab Retrieval Script for details about this process.
Creating the Cloudera Manager Principal
The steps below summarize the process of adding a principal specifically for Cloudera Manager Server to an MIT KDC and an Active Directory KDC. See documentation from MIT, Microsoft, or the appropriate vendor for more detailed information.
Creating a Principal in Active Directory
- Create an Organizational Unit (OU) in your Active Directory KDC service that will contain the principals for use by the CDH cluster.
- Add a new user account to Active Directory, for example, username@EXAMPLE.COM. Set the password for the user to never expire.
- Use the Delegate Control wizard in Active Directory to grant this new user permission to Create, Delete, and Manage User Accounts in the OU created in step 1. Make sure that these permissions are only applied to that specific OU, and nowhere else.
Creating a Principal in an MIT KDC
For MIT Kerberos, administrator principals are defined in the /var/kerberos/krb5kdc/kadm5.acl file on the KDC host. The default entry is:
In this example, principals that include the instance name admin designate a user account as an administrator, such as jdoe/admin@EXAMPLE.COM.
If you modify the kadm5.acl file, such as replacing EXAMPLE.COM with your realm name, make sure to restart the kadmin service:
- RHEL 7 Compatible:
systemctl restart kadmin
- All Others:
service kadmin restart
Create the Cloudera Manager Server administrator principal as shown below, using the admin instance name and your realm name. If your kadm5.acl file defines a different pattern for administrators, make sure that the principal you create matches that pattern.
For MIT Kerberos KDC on a remote host:
kadmin kadmin: addprinc -pw password cloudera-scm/admin@EXAMPLE.COMFor MIT Kerberos KDC on the local host:
kadmin.local kadmin.local: addprinc -pw password cloudera-scm/admin@EXAMPLE.COM