Pivotal Knowledge Base


How to setup Kerberos authentication with Windows Active Directory in HDB


Pivotal HDB: 1.x, 2.x

OS: RHEL 6.x

Windows Server


As it is already mentioned in the HDB docs about using Kerberos Authentication with KDC server on Linux system, this article shows how to setup a Kerberos authentication with Windows Active Directory service.


  • HDB cluster (tested on 2.x)
  • Windows Server installed with Active Directory service (tested on Windows Server 2012)


1. Log onto Windows Server as a user with administrator permission

2. Select Start -> Control Panel -> Administrative Tools -> Active Directory Users and Computers. If "Active Directory Users and Computers" doesn't exist, it might mean Active Directory service has not been installed correctly. Contact system administrator for assistance

3. On the "Active Directory Users and Computers" window, right click on Managed Service Accounts under the tree view of the local domain ("DATA.LOCAL" in this example) and select New -> User

4. On the popup "New Object -User" window, input

    First name: gpadmin

    User logon name: gpamdin


5. Click Next and input password and enable checkbox "Password never expires." Click Next and then Finish

6. Administrator to add Service Principal Name(SPN) for the account just created

PS C:\Users\Administrator> setspn -A postgres/hdp3.example.com gpadmin

NOTE: "hdp3.exmaple.com" here is FQDN of HDB master host. Make sure it's resolvable on the Windows server running AD service

7. Generate a keytab file with the ktpass command


ktpass -princ postgres/<FQDN of HDB master> -pass <password> -mapuser <Managed Service Account name> -crypto ALL -ptype KRB5_NT_PRINCIPAL -out <keytab filename> -kvno 0

PS C:\Users\Administrator> ktpass -princ postgres/hdp3.example.com@DATA.LOCAL -pass abcd1234 -mapuser gpadmin -crypto ALL -ptype KRB5_NT_PRINCIPAL -out hdp3.keytab -kvno 0
Targeting domain controller: WIN-TIH2EBEERUK.DATA.LOCAL
Using legacy password setting method
Key created.
Key created.
Key created.
Key created.
Key created.
Output keytab to hdp3.keytab:
Keytab version: 0x502
keysize 61 postgres/hdp3.example.com@DATA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x1 (DES-CBC-CRC) keylength 8 (0xa8d0405789a8469e)
keysize 61 postgres/hdp3.example.com@DATA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x3 (DES-CBC-MD5) keylength 8 (0xa8d0405789a8469e)
keysize 69 postgres/hdp3.example.com@DATA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x17 (RC4-HMAC) keylength 16 (0x161cff084477fe596a5db81874498a24)
keysize 85 postgres/hdp3.example.com@DATA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x12 (AES256-SHA1) keylength 32 (0x20648bd82de77bf66a1dcac4b3050bc308f2cc38f4a13e814ad5bd30e67ef388)
keysize 69 postgres/hdp3.example.com@DATA.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x11 (AES128-SHA1) keylength 16 (0xa026bb25aa495af5334cd4f185d33071):

8. Transfer the generated keytab file to HDB master. And change the ownership of the keytab file to "gpadmin:gpadmin" and mode to 600

[gpadmin@hdp3 ~]$ ls -l hdp3.keytab
-rw-------. 1 gpadmin gpadmin 367 Jun 7 21:48 hdp3.keytab

9. Follow the instructions in the HDB docs to install the Kerberos packages on the HAWQ master

10. Edit the /etc/krb5.conf configuration file. The following example shows a Kerberos server with a default DATA.LOCAL realm

default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log [libdefaults]
default_realm = DATA.LOCAL
default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true [realms]
kdc = <KDC Hostname>:88
admin_server = <KDC Hostname>:749
} [domain_realm]
<KDC Hostname> = DATA.LOCAL
.<KDC Hostname> = DATA.LOCAL
.data.local = DATA.LOCAL
data.local = DATA.LOCAL

11. Modify hawq-site.xml to specify the location of the keytab file. For example, adding this line to the hawq-site.xml specifies the folder /home/gpadmin as the location of the keytab file hdp3.keytab. Note that the change should be made via Ambari web if Ambari is used to manager HDB service


12. Modify the HDB file pg_hba.conf to enable Kerberos support. Then restart HDB (hawq restart cluster -a). Restart HDB service on Ambari web if Ambari is used to manage HDB service. For example, adding the following line to pg_hba.conf adds GSSAPI and Kerberos support. The value for krb_realm is the Kerberos realm that is used for authentication to HDB

host all all gss include_realm=0 krb_realm=DATA.LOCAL

13. Create a ticket using kinit and show the tickets in the Kerberos ticket cache with klist

[gpadmin@hdp3 ~]$ kinit gpadmin
Password for gpadmin@DATA.LOCAL:
[gpadmin@hdp3 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1002
Default principal: gpadmin@DATA.LOCAL Valid starting Expires Service principal
06/08/17 09:24:19 06/08/17 19:24:33 krbtgt/DATA.LOCAL@DATA.LOCAL
renew until 06/15/17 09:24:19

If kinit failed with error "Preauthentication failed while getting initial credentials" then try to enable "Do not require Kerberos preauthentication" box in "Account options" view on the AD server


14. As a test, log in to the database as the gpadmin role with the Kerberos credentials gpadmin

$ psql -U gpadmin -h hdp3.example.com template1

Additional Information



Powered by Zendesk