For enhanced security, Cloudera configures the hybrid environment’s FreeIPA to only
permit strong encryption for Kerberos. Therefore, you have to make sure that Active
Directory is configured accordingly.
Starting from Active Directory 2022, AES-128 and AES-256 Kerberos
encryption types are enabled by default for all newly created users, therefore
additional configuration is not needed there.
For Active Directory versions prior to 2022, you have to configure your on-premises
Cloudera Manager to set the encryption type in Active
Directory when creating users.
-
Select .
-
Set krb_enc_types to either aes128-cts or aes256-cts.
-
Enable ad_set_encryption_types.
These settings only apply to newly created users, so you have to regenerate
all keytabs.
-
Select .
-
Select all credentials and click Regenerate
Selected.
-
The Kerberos configuration also has to be edited on the on-premise cluster’s
nodes.
Following is a sample configuration for aes128 compatibility:
default_tgs_enctypes = aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
-
Locate the latest keytab used by the Cloudera Manager process
and check its encryption:
KEYTAB=$(find /run/cloudera-scm-agent/process/ -name "*.keytab" -printf "%T@ %p\n" | sort -n | tail -n1 | awk '{print $2}')
klist -kte $KEYTAB
Keytab name: FILE:/run/cloudera-scm-agent/process/241-impala-IMPALAD/impala.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 11/13/2025 13:36:34 HTTP/ccycloud-3.ad-dbajzath.root.comops.site@QE-INFRA-AD.CLOUDERA.COM (aes128-cts-hmac-sha1-96)
1 11/13/2025 13:36:34 impala/ccycloud-3.ad-dbajzath.root.comops.site@QE-INFRA-AD.CLOUDERA.COM (aes128-cts-hmac-sha1-96)
