Step 3: Create the Kerberos Principal for Cloudera Manager Server

At the end of the integration process using the configuration wizard, Cloudera Manager Server will create and deploy host principals and keytabs for all services configured on the cluster, which means that Cloudera Manager Server needs its own principal and have privileges to create these other accounts.

If an administrator principal to act on behalf of Cloudera Manager cannot be created on the Kerberos KDC for whatever reason, Cloudera Manager will not be able to create or manage principals and keytabs for CDH services. That means these principals must be created manually on the Kerberos KDC and then imported (retrieved) by Cloudera Manager. See Using a Custom Kerberos Keytab Retrieval Script for details about this process.

Creating the Cloudera Manager Principal

The steps below summarize the process of adding a principal specifically for Cloudera Manager Server to an MIT KDC and an Active Directory KDC. See documentation from MIT, Microsoft, or the appropriate vendor for more detailed information.

Creating a Principal in Active Directory

Check your Microsoft documentation for specific details for your Active Directory KDC. The general process is as follows:
  1. Create an Organizational Unit (OU) in your Active Directory KDC service that will contain the principals for use by the CDH cluster.
  2. Add a new user account to Active Directory, for example, username@EXAMPLE.COM. Set the password for the user to never expire.
  3. Use the Delegate Control wizard in Active Directory to grant this new user permission to Create, Delete, and Manage User Accounts in the OU created in step 1. Make sure that these permissions are only applied to that specific OU, and nowhere else.

Creating a Principal in an MIT KDC

For MIT Kerberos, administrator principals are defined in the /var/kerberos/krb5kdc/kadm5.acl file on the KDC host. The default entry is:

*/admin@EXAMPLE.COM     *

In this example, principals that include the instance name admin designate a user account as an administrator, such as jdoe/admin@EXAMPLE.COM.

If you modify the kadm5.acl file, such as replacing EXAMPLE.COM with your realm name, make sure to restart the kadmin service:

  • RHEL 7 Compatible:
    systemctl restart kadmin
  • All Others:
    service kadmin restart

Create the Cloudera Manager Server administrator principal as shown below, using the admin instance name and your realm name. If your kadm5.acl file defines a different pattern for administrators, make sure that the principal you create matches that pattern.

For MIT Kerberos KDC on a remote host:

kadmin
kadmin: addprinc -pw password cloudera-scm/admin@EXAMPLE.COM
For MIT Kerberos KDC on the local host:
kadmin.local
kadmin.local: addprinc -pw password cloudera-scm/admin@EXAMPLE.COM