Creating a Kerberos Keytab file
Save the principal credentials in a keytab file to authenticate without entering a password each time.
Save the principal credentials in a keytab file to obtain credentials and authenticate without entering a password each time.
Procedure
-
Create a keytab file for each node and add the principals keys for each
node:
kadmin: ktadd -k keytabfilename dse/FQDN kadmin: ktadd -k keytabfilename HTTP/FQDN
where
ktadd -k
creates or appends a key for the DSE service and HTTP principals.Example:kadmin: ktadd -k /tmp/node1.keytab dse/node1.example.com kadmin: ktadd -k /tmp/node1.keytab HTTP/node1.example.com kadmin: ktadd -k /tmp/node2.keytab dse/node2.example.com kadmin: ktadd -k /tmp/node2.keytab HTTP/node2.example.com
-
Use the
klist
command to view your principals in each keytab file:For example:sudo klist -e -kt /tmp/node1.keytab
where:Keytab name: FILE:/tmp/node1.keytab KVNO Timestamp Principal ---- ---------------- ---------------------------------------------- 2 14/02/16 22:03 HTTP/node1FQDN@YOUR_REALM (des3-cbc-sha1) 2 14/02/16 22:03 HTTP/node1FQDN@YOUR_REALM (arcfour-hmac) 2 14/02/16 22:03 HTTP/node1FQDN@YOUR_REALM (des-hmac-sha1) 2 14/02/16 22:03 HTTP/node1FQDN@YOUR_REALM (des-cbc-md5) 2 14/02/16 22:03 dse/node1FQDN@YOUR_REALM (des3-cbc-sha1) 2 14/02/16 22:03 dse/node1FQDN@YOUR_REALM (arcfour-hmac) 2 14/02/16 22:03 dse/node1FQDN@YOUR_REALM (des-hmac-sha1) 2 14/02/16 22:03 dse/node1FQDN@YOUR_REALM (des-cbc-md5)
-e
displays the encryption type and-kt
displays the keytab file and its timestamp. -
Distribute keytab files from the KDC server to the nodes, to ease DSE Kerberos
configuration ensure the files have the same name on each node:
scp /tmp/node1.keytab node_admin@node_hostname:/etc/dse/dse.keytab
-
Change the permissions on dse.keytab so that only the
dse_service_account
user can read and write to the keytab file:sudo chown dse:dse /etc/dse/dse.keytab && sudo chmod 600 /etc/dse/dse.keytab