Kerberos commands

Common Kerberos commands:

1.Change password of a principal(user)

$ kadmin.local

kadmin.local: cpw <principalname>

Enter password for princal “principalname@REALM.COM”:

2.initialize a kerberos ticket

$ kinit <principalname>

To get detailed verbose info use below options:

KRB5_TRACE=/dev/stdout kinit -V

3. Destroy the current ticket:

$ kdestroy

4. Check the status of Kerberos KDC

$ systemctl status kadmin

$ systemctl status krb5kdc

5. Run kinit using Cron jobs

If we run kinit using cron job it is possible that the cron job may write to a different credential cache for example Ticket cache: FILE:/tmp/krb5cc_0

Now if we do $ klist we may not see the ticket:

klist: No credentials cache found (filename: /tmp/krb5cc_123456789_xyz123)

So we need to specify the correct credential cache like below:

$ klist -c FILE:/tmp/krb5cc_0

Valid starting Expires Service principal
07/26/2019 17:25:01 07/27/2019 17:25:01 krbtgt/xyzrealm

To run hdfs command with specific credential cache run:

$ KRB5CCNAME=FILE:/tmp/krb5cc_0 hdfs dfs -ls /

Found 5 items
drwxrwxr-x+ – hdfs supergroup 0 2018-11-02 12:10 /data
drwx—— – hbase hbase 0 2019-06-20 09:28 /hbase
drwxrwxr-x – solr solr 0 2018-10-19 12:22 /solr
drwxrwxrwt – hdfs supergroup 0 2019-07-10 14:12 /tmp
drwxr-xr-x – hdfs supergroup 0 2019-07-23 09:39 /user

REFERENCE:

https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/

http://janbernhardt.blogspot.com/2017/02/kerberos-debugging-in-java.html

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.