In order to create and deploy the host principals and keytabs on your cluster, the Cloudera Manager Server must have the correct Kerberos principal and keytab file. Specifically, the Cloudera Manager Server must have a Kerberos principal that has administrator privileges. Typically, principals with the second component of admin in the principal name (for example, username/admin@YOUR-LOCAL-REALM.com) have administrator privileges. This is why admin is shown in the following instructions and examples.

The instructions in this section illustrate an example of creating the Cloudera Manager Server principal and keytab file for MIT Kerberos. (If you are using another version of Kerberos, refer to your Kerberos documentation for instructions.)

  Note: If you are running kadmin and the Kerberos Key Distribution Center (KDC) on the same host, use kadmin.local in the following steps. If the Kerberos KDC is running on a remote host, you must use kadmin instead of kadmin.local.

To create the Cloudera Manager Server principal and keytab:

1. In the kadmin.local or kadmin shell, type the following command to create the Cloudera Manager Server principal, replacing YOUR-LOCAL-REALM.COM with the name of your realm:

   kadmin:  addprinc -randkey cloudera-scm/admin@YOUR-LOCAL-REALM.COM

2. Create the Cloudera Manager Server cmf.keytab file:

   kadmin:  xst -k cmf.keytab cloudera-scm/admin@YOUR-LOCAL-REALM.COM

     Important: The Cloudera Manager Server keytab file must be named cmf.keytab because that name is hard-coded in Cloudera Manager.