Export keytab files
Each node requires to generate its own corresponding key.tab.
This example below generates the keytab just for host c902f08x06.
To do another host, c902f08x07, will need to generate a new keytab with a new name like dn3.key.
On the Windows PowerShell, use the ktpass command to generate the principals
and keytab files for all the Domain Users on the HDFS Transparency
cluster.
PS C:\files> ktpass /princ dn/c902f08x06.gpfs.net@AD.GPFS.NET
/mapuser dn/c902f08x06.gpfs.net /pass Admin1234 /out dn2.key /ptype KRB5_NT_SRV_INST /crypto all
Targeting domain controller: adserver.ad.gpfs.net
Successfully mapped dn/c902f08x06.gpfs.net to dn_c902f08x06.gpfs.n.
Password successfully set!
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to dn2.key:
Keytab version: 0x502
keysize 69 dn/c902f08x06.gpfs.net@AD.GPFS.NET ptype 2 (KRB5_NT_SRV_INST)
vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0xdac3a2930fc196001f3aeab959748448)
PS C:\files>
Note: The
/crypto specifies the keys that are generated in the keytab file. The default settings are based on
older MIT versions. Therefore, /crypto should always be specified.
Distribute all the keytab files to the HDFS Transparency nodes and rename them to
nn.service.keytab (for NameNode service) and dn.service.keytab (for DataNode
service).
PS C:\files> .\pscp.exe dn2.key root@c902f08x06:/etc/security/keytabs/dn.service.keytabNote: Ensure
that the “dn2.key” exported corresponds to the host c902f08x06. Otherwise, the service will fail to
start.
On the Linux® nodes, change the owner and permissions for all the keytab files.
chown hdfs:hadoop /etc/security/keytabs/nn.service.keytab
chown hdfs:hadoop /etc/security/keytabs/dn.service.keytab
chmod 400 /etc/security/keytabs/nn.service.keytab
chmod 400 /etc/security/keytabs/dn.service.keytab