Step 3: Create the Kerberos Principal for Cloudera Manager Server
At the end of the integration process using the configuration wizard, Cloudera Manager Server will create and deploy host principals and keytabs for all services configured on the cluster, which means that Cloudera Manager Server needs its own principal and have privileges to create these other accounts.
If an administrator principal to act on behalf of Cloudera Manager cannot be created on the Kerberos KDC for whatever reason, Cloudera Manager will not be able to create or manage principals and keytabs for CDH services. That means these principals must be created manually on the Kerberos KDC and then imported (retrieved) by Cloudera Manager. See Using a Custom Kerberos Keytab Retrieval Script for details about this process.
Creating the Cloudera Manager Principal
The steps below summarize the process of adding a principal specifically for Cloudera Manager Server to an MIT KDC and an Active Directory KDC. See documentation from MIT, Microsoft, or the appropriate vendor for more detailed information.
Creating a Principal in Active Directory
- Create an Organizational Unit (OU) in your Active Directory KDC service that will contain the principals for use by the CDH cluster.
- Add a new user account to Active Directory, for example, username@YOUR-REALM.EXAMPLE.COM. Set the password for the user to never expire.
- Use the Delegate Control wizard of Active Directory and grant this new user permission to Create, Delete, and Manage User Accounts.
Creating a Principal in an MIT KDC
Create the Cloudera Manager Server principal as shown in one of the examples below, appropriate for the location of the Kerberos instance and using the correct REALM name for your setup.
For MIT Kerberos KDC on a remote host:
kadmin: addprinc -pw password cloudera-scm/admin@YOUR-LOCAL-REALM.COM
kadmin.local: addprinc -pw password cloudera-scm/admin@YOUR-REALM.EXAMPLE.COM