For enhanced security, Cloudera configures the hybrid environment’s FreeIPA to only
permit strong encryption for Kerberos. Therefore, you have to ensure that Active Directory
is configured accordingly.
Starting from Active Directory 2022, AES-128 and AES-256 Kerberos
encryption types are enabled by default for all newly created users, therefore
additional configuration is not needed there.
- For Active Directory versions before 2022, you must configure your on-premises
Cloudera Manager to set the encryption type in Active
Directory when creating users.
-
Go to .
-
Set the krb_enc_types property to either
aes128-cts or aes256-cts.
-
Set the ad_set_encryption_types property to
True or False.
These settings only apply to newly created users, so you must regenerate all
keytabs.
-
Go to .
-
Select all credentials and click Regenerate
Selected.
-
Edit the Kerberos configuration on the on-premise cluster nodes.
This example shows a sample configuration for
aes128
compatibility.
default_tgs_enctypes = aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96
default_tkt_enctypes = aes128-cts-hmac-sha256-128 aes128-cts-hmac-sha1-96
permitted_enctypes = aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 camellia256-cts-cmac camellia128-cts-cmac
-
Locate the latest keytab used by the Cloudera Manager process
and check its encryption.
KEYTAB=$(find /run/cloudera-scm-agent/process/ -name "*.keytab" -printf "%T@ %p\n" | sort -n | tail -n1 | awk '{print $2}')
klist -kte $KEYTAB
Keytab name: FILE:/run/cloudera-scm-agent/process/241-impala-IMPALAD/impala.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 11/13/2025 13:36:34 HTTP/ccycloud-3.ad-dbajzath.root.comops.site@QE-INFRA-AD.CLOUDERA.COM (aes128-cts-hmac-sha1-96)
1 11/13/2025 13:36:34 impala/ccycloud-3.ad-dbajzath.root.comops.site@QE-INFRA-AD.CLOUDERA.COM (aes128-cts-hmac-sha1-96)
