How to merge Kerberos Keytabs without increasing kvno.

In scenarios which requires having same principal as part of multiple keytabs using xst or ktadd will increment the kvno making previous keytabs irrelevant .

For example:- HTTP  service principal is used for spnego authentication by both hadoop service and hbase rest service. If hdfs and hbase keytabs are created individually as shown following

xst -k spnego.service.keytab HTTP/

xst -k hbase.service.keytab HTTP/

The keytab for hadoop will have an old version of HTTP principal this can be confirmed by running klist

[root@server1 keytabs]# klist -k hbase.service.keytab
Keytab name: FILE:hbase.service.keytab
KVNO Principal
—- ————————————————————————–

[root@server1 keytabs]# klist -k spnego.service.keytab
Keytab name: FILE:spnego.service.keytab
KVNO Principal
—- ————————————————————————–

Once the keytabs are configured for HDFS, webhdfs services fails to start because the keytab is no longer valid. If you try to do kinit using HDFS spnego keytab you will notice following error, which is an indication that kvno is modified.

kinit -kt spnego.service.keytab HTTP/
kinit: Password incorrect while getting initial credentials

To list the current kvno in the kerberos server run , the following commands on the kerberos server


kadmin.local:  getprinc HTTP/
Principal: HTTP/
Expiration date: [never]
Last password change: Wed Mar 29 18:24:35 PDT 2017
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Wed Mar 29 18:24:35 PDT 2017 (nn/admin@EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 2, aes256-cts-hmac-sha1-96, no salt
Key: vno 2, aes128-cts-hmac-sha1-96, no salt
Key: vno 2, des3-cbc-sha1, no salt
Key: vno 2, arcfour-hmac, no salt
MKey: vno 1
Policy: [none]

Best practice for creating keytabs with overlapping principals.

1. Generate a keytab ,containing only the overlapping principal

xst -k spnego.service.keytab HTTP/

2. For all other keytabs which need this principal use ktutil command as shown following

ktutil:  rkt spnego.service.keytab
ktutil:  rkt hbase.service.keytab
ktutil:  wkt hbase.service.keytab
ktutil:  exit

rkt loads all the principals in the keytab to the buffer, wkt creates a new keytab with all the principals currently in the buffer.

After executing the ktutil commands ,hbase.service.keytab will contain the HTTP principal with same kvno.

[root@hives1 ~]# klist -k hbase.service.keytab
Keytab name: FILE:hbase.service.keytab
KVNO Principal
—- ————————————————————————–


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s