[Freeipa-users] kadmin.local to manage FreeIPA Kerberos
Alexander Bokovoy
abokovoy at redhat.com
Thu Apr 23 05:51:43 UTC 2015
On Thu, 23 Apr 2015, Shaik M wrote:
>Hi,
>
>We have recently deployed FreeIPA for our Hadoop environment.
>
>Recently, Ambari community released 2.0, where this version supports MIT
>kerberos. Which means Ambri create the all service principals using with
> "kadmin.local".
>
>As I know, "kadmin.local" wont work for FreeIPA kerberos to create the
>principals. :(
>
>Please let me know, is there any alternative ways to create the principals
>using with "kadmin.local",.
>
>It will great helpful for us if can do with "kadmin.local", or-else we have
>to move back to MIT Kerberos.
No, at this time it is not possible to use. I've looked at the Ambari
code and it shouldn't be hard to implement FreeIPA-specific
KerberosOperationHandler that does proper thing by calling out IPA
tools.
Part of problem with MITKerberosOperationHandler.java is that you have
no way to pass any arguments and options to kadmin/kadmin.local at all,
so even to make it working will go with patching that code. At this
point it is easier to rewrite it to use 'ipa' and ipa-getkeytab
utilities altogether because the code is trivial.
https://github.com/apache/ambari/blob/ed231beaddaf6347d4defb2fb26d75849c0cafc9/ambari-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list