× Welcome to the Centrify Community! Looking for Express & Smart Card Help? Click Here

centrify express user principal

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 5
Registered: ‎03-02-2017
#1 of 4 499

centrify express user principal

I've configured centrify express for AD/Linux integration. I was able to login to linux machine using windows credentials. I had setup one way trust between AD & Local MIT KDC.

 

 

[root@master2 ~]# ssh rvchinta@master2

Red Hat Enterprise Linux Server release 6.4 (Santiago)

Kernel 2.6.32-358.el6.x86_64 on an x86_64

Password:

Last login: Sat Mar 4 07:22:34 2017 from 192.168.56.22

[rvchinta@master2 ~]$ klist

Ticket cache: FILE:/tmp/krb5cc_cdc201327698_saYNYF

Default principal: rvchinta@CHRSV.COM

Valid starting Expires Service principal

03/04/17 10:02:32 03/04/17 20:02:32 krbtgt/CHRSV.COM@CHRSV.COM

renew until 03/11/17 10:02:32

[rvchinta@master2 ~]$

 

when i access hadoop components it thinks my user name is rvchinta@CHRSV.COM.

 

Any idea how to handle this? it should be rvchinta but not rvchinta@CHRSV.COM.

 

thanks

Centrify Guru I
Posts: 1,719
Registered: ‎07-26-2012
#2 of 4 490

Re: centrify express user principal

[ Edited ]

@chrsvarma,

 

Welcome to the Centrify Express forums.

 

Moderation Notice:  When posting to the forums always make sure you include the type and version of your UNIX, Linux or Mac Platform as well as the version of adclient you're using (adinfo -v).

 

Several things to note:

 

  • Each Hadoop distribution has its own implementation path.  For information, please review the Centrify integration documentation for Cloudera, Hortonworks or MapR
  • You're using Centrify Express;  this freemium version does not support AD one-way trusts.

 

Now to your question.

 

Note the Kerberos ticket cache file name:  /tmp/krb5cc_cdc201327698_saYNYF  (the cdc means Centrify DirectControl); this means that your system has been automatically configured to work with your AD Kerberos realm.  In order for you to work with multiple configurations, you need to follow the guidance from this post:

 

http://community.centrify.com/t5/TechBlog/HOWTO-Use-Centrify-in-Mixed-Kerberos-Environments/ba-p/213...

 

Hopefully you'll understand that there's an assumption that your realm will be AD, but that you can use both configuration (joined to AD and using a MIT Kerberos as well) by redirecting the location of the krb5.conf file to an alternative location; this way the system can be joined to both realms.

 

HOWEVER;  why would you stand-up an independent MIT Kerberos if with Centrify software you can make your Hadoop deployment work with AD?  Less complexity, easier path from test to production.

 

This is a non-trivial task and my advice is that you use Centrify Standard Edition + our Award-winning PS if this a commercial organization.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 5
Registered: ‎03-02-2017
#3 of 4 483

Re: centrify express user principal

I was able to resolve this issue by myself by adding RULE:[1:$1@$0](.*@
CHRSV.COM)s/@.*// in hadoop.seucirty.auth.local in hdfs.
thanks for taking time and responding to my post.
Participant II
Posts: 5
Registered: ‎03-02-2017
#4 of 4 483

Re: centrify express user principal

I was able to resolve this issue by myself by adding RULE:[1:$1@$0](.*@
CHRSV.COM)s/@.*// in hadoop.seucirty.auth.local in hdfs.
thanks for taking time and responding to my post.