Creating a Kerberos Keytab file

Save the principal credentials in a keytab file to authenticate without entering a password each time.

Save the principal credentials in a keytab file to obtain credentials and authenticate without entering a password each time.

Procedure

  1. Create a keytab file for each node and add the principals keys for each node:
    kadmin: ktadd -k keytabfilename dse/FQDN
    kadmin: ktadd -k keytabfilename HTTP/FQDN

    where ktadd -k creates or appends a key for the DSE service and HTTP principals.

    Example:
    kadmin: ktadd -k /tmp/node1.keytab dse/node1.example.com
    kadmin: ktadd -k /tmp/node1.keytab HTTP/node1.example.com
    kadmin: ktadd -k /tmp/node2.keytab dse/node2.example.com
    kadmin: ktadd -k /tmp/node2.keytab HTTP/node2.example.com
  2. Use the klist command to view your principals in each keytab file:
    For example:
    sudo klist -e -kt /tmp/node1.keytab
    
    Keytab name: FILE:/tmp/node1.keytab
    KVNO Timestamp        Principal
    ---- ---------------- ----------------------------------------------
    2    14/02/16 22:03   HTTP/node1FQDN@YOUR_REALM (des3-cbc-sha1)
    2    14/02/16 22:03   HTTP/node1FQDN@YOUR_REALM (arcfour-hmac)
    2    14/02/16 22:03   HTTP/node1FQDN@YOUR_REALM (des-hmac-sha1)
    2    14/02/16 22:03   HTTP/node1FQDN@YOUR_REALM (des-cbc-md5)
    2    14/02/16 22:03   dse/node1FQDN@YOUR_REALM (des3-cbc-sha1)
    2    14/02/16 22:03   dse/node1FQDN@YOUR_REALM (arcfour-hmac)
    2    14/02/16 22:03   dse/node1FQDN@YOUR_REALM (des-hmac-sha1)
    2    14/02/16 22:03   dse/node1FQDN@YOUR_REALM (des-cbc-md5)
    where: -e displays the encryption type and -kt displays the keytab file and its timestamp.
  3. Distribute keytab files from the KDC server to the nodes, to ease DSE Kerberos configuration ensure the files have the same name on each node:
    scp /tmp/node1.keytab node_admin@node_hostname:/etc/dse/dse.keytab
  4. Change the permissions on dse.keytab so that only the dse_service_account user can read and write to the keytab file:
    sudo chown dse:dse /etc/dse/dse.keytab && sudo chmod 600 /etc/dse/dse.keytab