...
Configurations
kerberos-env
...
kdc_type
The type of KDC being used. Either mit-kdc or active-directory
Possible Values: mit-kdc, active-directory
manage_identities
Indicates whether the Ambari user and service Kerberos identities (principals and keytab files) should be managed (created, deleted, updated, etc...) by Ambari or managed manually.
Possible Values: true, false
install_packages
Indicates whether Ambari should install the Kerberos client package(s) or not. If not, it is expected that Kerberos utility programs (such as kadmin, kinit, klist, and kdestroy) are compatible with MIT Kerberos 5 version 1.10.3 in command line options and behaviors.
Possible Values: true, false
ldap_url
The URL to the Active Directory LDAP Interface. This value must indicate a secure channel using LDAPS since it is required for creating and updating passwords for Active Directory accounts.
Example: ldaps://ad.example.com:636
container_dn
The distinguished name (DN) of the container used store service principals
Example: OU=hadoop,DC=example,DC=com
encryption_types
The supported (space-delimited) list of session key encryption types that should be returned by the KDC.
Default value: aes des3-cbc-sha1 rc4 des-cbc-md5
realm
The default realm to use when creating service principals
Example: EXAMPLE.COM
kdc_host
The IP address or FQDN for the KDC host. Optionally a port number may be included.
Example: kdc.example.com
Example: kdc.example.com:88
admin_server_host
The IP address or FQDN for the KDC Kerberos administrative host. Optionally a port number may be included.
Example: kadmin.example.com
Example: kadmin.example.com:88
executable_search_paths
A comma-delimited list of search paths to use to find Kerberos utilities like kadmin and kinit.
Default value: /usr/bin, /usr/kerberos/bin, /usr/sbin, /usr/lib/mit/bin, /usr/lib/mit/sbin
password_length
The length required length for generated passwords.
Default value: 20
password_min_lowercase_letters
The minimum number of lowercase letters (a-z) required in generated passwords
Default value: 1
password_min_uppercase_letters
The minimum number of uppercase letters (A-Z) required in generated passwords
Default value: 1
password_min_digits
The minimum number of digits (0-9) required in generated passwords
Default value: 1
password_min_punctuation
The minimum number of punctuation characters (?.!$%^*()-_+=~) required in generated passwords
Default value: 1
password_min_whitespace
The minimum number of whitespace characters required in generated passwords
Default value: 0
service_check_principal_name
The principal name to use when executing the Kerberos service check
Example: ${cluster_name}-${short_date}
case_insensitive_username_rules
Force principal names to resolve to lowercase local usernames in auth-to-local rules
Possible values: true, false
Default value: false
ad_create_attributes_template
A Velocity template to use to generate a JSON-formatted document containing the set of attribute names and values needed to create a new Kerberos identity in the relevant Active Directory.
Variables include: principal_name, principal_primary, principal_instance, realm, realm_lowercase, normalized_principal, principal digest, password, is_service, container_dn
Note: This is used only in the case when the kdc-type is active-directory.
Default value:
{
"objectClass": ["top", "person", "organizationalPerson", "user"],
"cn": "$principal_name",
#if( $is_service )
"servicePrincipalName": "$principal_name",
#end
"userPrincipalName": "$normalized_principal",
"unicodePwd": "$password",
"accountExpires": "0",
"userAccountControl": "66048"
}
kdc_create_attributes
The set of attributes to use when creating a new Kerberos identity in the relevant (MIT) KDC.
Note: This is used only in the case when the kdc-type is mit-kdc.
Example: -requires_preauth max_renew_life=7d
krb5-conf
(more to come)
Enabling Kerberos
...