Unravel 4.2 Documentation

Creating Active Directory Kerberos Principals and Keytabs for Unravel

Define HOST Variable for Unravel Server as an FQDN

(Replace UNRAVEL_HOST with your host's FQDN):

HOST=$UNRAVEL_HOST

Define REALM Variable

(Use upper case for all; replace EXAMPLEDOTCOM with your realm):

REALM=$EXAMPLEDOTCOM


Create the Active Directory (AD) Kerberos Principals and Keytabs

Use the two variables you defined above to replace the red text below.

  1. Verify that Unravel Server host is running ntpd service and that time is accurate.
  2. For proper Kerberos operation with AD-KDC, DNS entries, including reverse DNS entries, must be in place.
  3. On AD server, logged in as AD Administrator, add 2 Managed Service Accounts unravel and hdfs:
    1. Open the Active Directory Users and Computers snap-in.
    2. Confirm that the Managed Service Account container exists under the target REALM.
    3. Right-click the Managed Service Account container and choose New->User.
    4. Set names (unravel and hdfs) to account in first screen and click Next.
    5. Set a strong password to account (the password will not be used) and
      1. Check Password never expires.
      2. UNcheck Password must be changed.
      3. Check Password cannot be changed.
    6. Right-click the created user, choose Properties, and select the Account tab.
    7. In the Account Options panel, check Kerberos AES256-SHA1.
  4. On AD server, logged in as AD Administrator, create the Service Principal Names:
    1. The commands to run in a cmd or powershell are the following:
    2. setspn -A unravel/HOST unravel
    3. setspn -A hdfs/HOST hdfs
  5. On AD server, logged in as AD Administrator, generate keytab files that Unravel Server will use to authenticate with Kerberos using the ktpass utility in Active Directory:
    1. ktpass -princ unravel/HOST@REALM -mapUser unravel -Target REALM +rndPass -out unravel.keytab -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1
    2. ktpass -princ hdfs/HOST@REALM -mapUser hdfs -Target REALM +rndPass -out hdfs.keytab -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1
  6. Copy the two keytabs (unravel.keytab and hdfs.keytab) from AD server to the Unravel Server at HOST into /etc/keytabs/ (create the destination directory if need be) and
    1. sudo chmod 700 /etc/keytabs/*
    2. sudo chown unravel:unravel /etc/keytabs/unravel.keytab
    3. sudo chown hdfs:hdfs /etc/keytabs/hdfs.keytab


Assurances: hdfs.keytab is only usable on Unravel Server and is only used to access HDFS log files and Hive metastore (if applicable).

© Copyright 2015-2019 Unravel Data Systems, Inc. All rights reserved.