Running the Kerberos Security Wizard

Ambari provides three options for enabling Kerberos: using an existing MIT KDC (Automated Setup), using an existing Active Directory (Automated Setup), or manage Kerberos principals and keytabs manually (Manual Setup).

Automated Setup

When choosing Existing MIT KDC or Existing Active Directory, the Kerberos Wizard prompts for information related to the KDC, the KDC Admin Account and the Service and Ambari principals. Once provided, Ambari will automatically create principals, generate keytabs and distribute keytabs to the hosts in the cluster. The services will be configured for Kerberos and the service components are restarted to authenticate against the KDC. This is the Automated Setup option. See “Launching the Kerberos Wizard (Automated Setup)” for more details.

If you chose to enable Kerberos using the Automated Kerberos Setup option, as part of the enabling Kerberos process, Ambari installs the Kerberos clients on the cluster hosts. Depending on your operating system, the following packages are installed:

Table 1. Packages installed by Ambari for the Kerberos Client
Operating System	Packages
RHEL/CentOS/Oracle Linux 7	krb5-workstation
RHEL/CentOS/Oracle Linux 6	krb5-workstation
SLES 11	krb5-client
Ubuntu/Debian	krb5-user, krb5-config

Manual Setup

When choosing Manage Kerberos principals and keytabs manually, you must create the principals, generate and distribute the keytabs; including you performing the “Ambari Server Kerberos setup”. Ambari will not do this automatically. This is the Manual Setup option. See “Launching the Kerberos Wizard (Manual Setup)” for more details.