× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

kinit as service account

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 5
Registered: ‎03-02-2017
#1 of 3 1,023

kinit as service account

I have 5 node RH clluster & 1 AD. I used centrify express to integrate with AD.

HW distribution.

 

enabled kerberos and stored all SPN's on AD by creating a seperate OU. 

 

when i try with UPN it just works fine:

 

[rvchinta@mas1 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_cdc205522005_Tw5Vfh
Default principal: rvchinta@CHRSV.COM

Valid starting Expires Service principal
05/12/17 10:32:30 05/12/17 20:32:30 krbtgt/CHRSV.COM@CHRSV.COM
renew until 05/19/17 10:32:30
[rvchinta@mas1 ~]$ hdfs dfs -ls /
Found 11 items
drwxrwxrwx - yarn hadoop 0 2017-05-08 21:14 /app-logs
drwxr-xr-x - hdfs hdfs 0 2017-05-08 21:16 /apps
drwxr-xr-x - yarn hadoop 0 2017-05-08 21:01 /ats
drwxr-xr-x - hdfs hdfs 0 2017-05-08 21:02 /hdp
drwxr-xr-x - mapred hdfs 0 2017-05-08 21:02 /mapred
drwxrwxrwx - mapred hadoop 0 2017-05-08 21:02 /mr-history
drwxr-xr-x - hdfs hdfs 0 2017-05-09 13:17 /ranger
drwxrwxrwx - spark hadoop 0 2017-05-12 10:53 /spark-history
drwxrwxrwx - spark hadoop 0 2017-05-12 10:52 /spark2-history
drwxrwxrwx - hdfs hdfs 0 2017-05-12 08:44 /tmp
drwxr-xr-x - hdfs hdfs 0 2017-05-09 10:05 /user

 

issue is with SPN

 

[root@mas1 rvchinta]# su hdfs
[hdfs@mas1 rvchinta]$ klist
klist: Credentials cache permissions incorrect while setting cache flags (ticket cache FILE:/tmp/krb5cc_cdc205522005_Tw5Vfh)
[hdfs@mas1 rvchinta]$ kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-hwhc@CHRSV.COM
[hdfs@mas1 rvchinta]$ klist
klist: Credentials cache permissions incorrect while setting cache flags (ticket cache FILE:/tmp/krb5cc_cdc205522005_Tw5Vfh)
[hdfs@mas1 rvchinta]$

 

how do i address this issue?

Participant II
Posts: 5
Registered: ‎03-02-2017
#2 of 3 1,021

Re: kinit as service account

I think i figured it out, when i do a sudo from one account to another i need to destroy old ticket else it cannot wrote to ticket cache since it is owned by other account.

Highlighted
Posts: 895
Topics: 3
Kudos: 223
Blog Posts: 4
Ideas: 0
Solutions: 117
Registered: ‎07-06-2010
#3 of 3 1,019

Re: kinit as service account

That's exactly the reason.  The Kerberos ticket cache is a file and the user running klist needs to have access to the credential cache or better yet from a security perspective, the users that need tickets for a principal should have read access to the keytab.  These users can then kinit with the keytab.

Felderi Santiago
Technical Director - NA East, LATAM
Centrify Corporation
Found my response helpful? Click the Kudos button!
Follow Centrify: