3.2. Creating Keytab files

Step 1: As the root user, start the kadmin tool on the KDC server:

/usr/krb5/sbin/kadmin.local
kadmin.local:

Step 2: Create the keytab files for all services in your Hadoop cluster.

Use kadmin utility to execute the following:

kadmin: xst -norandkey -k $keytab_file_name $principal_name/fully.qualified.domain.name

The $keytab_file_name must use the following mandatory naming conventions:

Table 5.17. Secure deployment - Mandatory naming conventions for keytab files
Service Name	Keytab File Name	Principal Name	Permissions	Owner
NameNode	`nn.service.keytab`	`nn`	`700`	`hdfs:hadoop`
NameNode	`spnego.service.keytab`	`HTTP`	`700`	`hdfs:hadoop`
Secondary NameNode	`nn.service.keytab`	`nn`	`700`	`hdfs:hadoop`
Secondary NameNode	`spnego.service.keytab`	`HTTP`	`700`	`hdfs:hadoop`
JobTracker	`jt.service.keytab`	`jt`	`700`	`mapred:hadoop`
TaskTracker	`tt.service.keytab`	`tt`	`700`	`mapred:hadoop`
DataNode	`dn.service.keytab`	`dn`	`700`	`hdfs:hadoop`
HBase Master	`hm.service.keytab`	`hm`	`700`	`hbase:hadoop`
HBase RegionServer	`rs.service.keytab`	`rs`	`700`	`hbase:hadoop`
Hive Metastore	`hive.service.keytab`	`hive`	`700`	`hive:hadoop`
Oozie	`oozie.service.keytab`	`oozie`	`700`	`oozie:hadoop`
Oozie	`spnego.service.keytab`	`HTTP`	`700`	`oozie:hadoop`
WebHCat	`spnego.service.keytab`	`HTTP`	`700`	`webhcat:hadoop`

For example, to create NameNode principals' (nn, host, and HTTP) keytab files, execute the following commands:

kadmin: xst -k nn.service.keytab nn/NAMENODE
kadmin: xst -k spnego.service.keytab HTTP/NAMENODE

On each of the node in your cluster, change directory to the $keytab directory.
Note
The location is specified by the keytabdirproperty in the gsInstaller.properties file
Copy the appropriate keytab file on each of node in your cluster.

	Note
The location is specified by the `keytabdir`property in the `gsInstaller.properties` file

Step 3: Follow the steps listed in Step - 2 above, to create keytab files according to the following mandatory naming conventions:

Table 5.18. Secure deployment - Mandatory naming conventions for HDFS and Smoke test users' keytab files
User Name	Principal Name (mandatory naming convention)
HDFS User	Value specified for `hdfsuser.headless.keytab` property in `master-install-location/gsInstaller/gsInstaller.properties` file.
Smoke Test User	Value specified for `smoke_test_user.headless.keytab` property in `master-install-location/gsInstaller/gsInstaller.properties` file.

Step 4: Use the klist utlity on each of your service to verify that the correct keytab files and principals are associated with the correct service. For example, to verify the keytabs for the NameNode, execute the following command:

klist –k -t /etc/security/nn.service.keytab

Legal notices