Question:How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out?
Answer:Starting DirectControl 5.2.3 [Centrify Server 2015.1 release] DirectControl added a configurable option in
centrifydc.conf file to support infinite renewal of the user’s Kerberos’s Ticket Granted Ticket for a user who has logged out while his Hadoop job is still running.
Example usage:1. Edit
centrifydc.conf2.
krb5.cache.infinite.renewal.batch.users: test_user, test_user@example.com,test_user_sam, test_user_sam@example.com
3. Run adreload
4. Log into the system once using the Account Password. We will auto generate a keytab file to enable infinite renewal for the user/s.
Option Explanation:
Use this configuration parameter in centrifydc.conf to specify a list of users whose Kerberos credentials require infinite renewal even after the users have logged out. These users must be zone enabled (that is, mapped users are not supported). You can use any of the following formats to specify user names:
unixName
userPrincipleName
SamAccountName
SamAccountName@domain By default, this parameter does not list any users. If a user is removed from this list the keytab file generated will be removed the next time adreload is ran or adclient is restarted.
For more information, please see attach Centrify Hadoop Guide.
For groups please view:
KB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal?