This is the documentation for Cloudera Manager 5.1.x. Documentation for other versions is available at Cloudera Documentation.

Step 3: Get or Create a Kerberos Principal for the Cloudera Manager Server

In order to create and deploy the host principals and keytabs on your cluster, the Cloudera Manager Server must have the correct Kerberos principal. Specifically, the Cloudera Manager Server must have a Kerberos principal that has administrator privileges. Typically, principals with the second component of admin in the principal name (for example, username/admin@YOUR-LOCAL-REALM.com) have administrator privileges. This is why admin is shown in the following instructions and examples.

To get or create the Kerberos principal for the Cloudera Manager Server, you can do either of the following:
  • Ask your Kerberos administrator to create a Kerberos administrator principal for the Cloudera Manager Server.
  • Create the Kerberos principal for the Cloudera Manager Server yourself by using the following instructions in this step.

Creating the Cloudera Manager Principal

If you are using Active Directory

  1. Create an Organizational Unit (OU) in your AD where all the principals used by your CDH cluster will reside.
  2. Add a new AD user, for example, <username>@YOUR-REALM.COM. The password for this user should be set to never expire.
  3. Use AD's Delegate Control wizard to allow this new user to Create, Delete and Manage User Accounts.

If you are using MIT KDC

The instructions in this section illustrate an example of creating the Cloudera Manager Server principal for MIT Kerberos. (If you are using another version of Kerberos, refer to your Kerberos documentation for instructions.)
  Note: If you are running kadmin and the Kerberos Key Distribution Center (KDC) on the same host, use kadmin.local in the following steps. If the Kerberos KDC is running on a remote host, you must use kadmin instead of kadmin.local.
In the kadmin.local or kadmin shell, type the following command to create the Cloudera Manager Server principal, replacing YOUR-LOCAL-REALM.COM with the name of your realm: 
kadmin:  addprinc -pw <Password> cloudera-scm/admin@YOUR-LOCAL-REALM.COM
Page generated September 3, 2015.