Creating a Kerberos Keytab File
Save the principal credentials in a keytab file to obtain credentials and authenticate without entering a password each time.
Procedure
-
Create a keytab file for each node and add the principals keys for each node:
kadmin: ktadd -k <keytabfilename> dse/<FQDN> kadmin: ktadd -k <keytabfilename> HTTP/<FQDN>where
ktadd -kcreates or appends a key for the DSE service and HTTP principals.Example:
kadmin: ktadd -k /tmp/node1.keytab dse/node1.example.com kadmin: ktadd -k /tmp/node1.keytab HTTP/node1.example.com kadmin: ktadd -k /tmp/node2.keytab dse/node2.example.com kadmin: ktadd -k /tmp/node2.keytab HTTP/node2.example.com -
Use the
klistcommand to view your principals in eachkeytabfile:For example:
sudo klist -e -kt /tmp/node1.keytabKeytab name: FILE:/tmp/node1.keytab KVNO Timestamp Principal ---- ---------------- ---------------------------------------------- 2 14/02/16 22:03 HTTP/node1FQDN@YOUR_REALM (des3-cbc-sha1) 2 14/02/16 22:03 HTTP/node1FQDN@YOUR_REALM (arcfour-hmac) 2 14/02/16 22:03 HTTP/node1FQDN@YOUR_REALM (des-hmac-sha1) 2 14/02/16 22:03 HTTP/node1FQDN@YOUR_REALM (des-cbc-md5) 2 14/02/16 22:03 dse/node1FQDN@YOUR_REALM (des3-cbc-sha1) 2 14/02/16 22:03 dse/node1FQDN@YOUR_REALM (arcfour-hmac) 2 14/02/16 22:03 dse/node1FQDN@YOUR_REALM (des-hmac-sha1) 2 14/02/16 22:03 dse/node1FQDN@YOUR_REALM (des-cbc-md5)where:
-edisplays the encryption type and-ktdisplays the keytab file and its timestamp. -
Distribute keytab files from the
KDCserver to the nodes. To ease DSE Kerberos configuration ensure the files have the same name on each node:scp /tmp/node1.keytab <node_admin>@<node_hostname>:/etc/dse/dse.keytab
-
Change the permissions on
dse.keytabso that only thedse_service_accountuser can read and write to the keytab file:sudo chown dse:dse /etc/dse/dse.keytab && sudo chmod 600 /etc/dse/dse.keytab
