I am using kerberos with Hadoop environment, and I use keytab file to give authentications to different user. Now I have some users to them i have to give same privilege to all them.
So i created a user group and generated a generic keytab file for that active directory group, but failed to validate the keytab file. It gives me an error as mentioned below:
kinit: Client '[email protected]' not found in Kerberos database while getting initial credentials
Now the question is, is there possibility to use a keytab file for group in active directory or should i have to use any other way to achieve the same?
You only need to place one keytab on the application server to successfully do Kerberos SSO authentication, not multiple ones. When users access a service which is Kerberos-enabled, they obtain a Kerberos ticket for that service from the KDC. The keytab on the application server decrypts the contents of that ticket, because inside the keytab is a representation of the service running on the application server users want to access, the FQDN of the application server, and the Kerberos realm name which will honor the authentication attempt, and cryptographic hash of the service principal in the KDC. As the passwords in each are the same, authentication succeeds. This is a very implied explanation. The keytab won't be able to determine users group membership however. That is part is authorization, so you'll need to make an LDAP authorization call back to the Directory server if you want to parse group membership.
There's only one exception to this rule that I know of. In a homogenous Microsoft-only Active Directory environment, in which Kerberos is the primary authentication method (it is by default), keytabs are not used. Microsoft application servers can, without a keytab, natively decrypt the Kerberos ticket to determine who the user is and parse that same ticket for user's group information as well, without any need for LDAP calls back to the Directory server. Parsing the Kerberos service ticket for group information is known as reading the PAC. In an AD environment however, non-Microsoft platforms cannot "read the PAC" for group membership, as Microsoft has never exposed how they do this as far as I am aware. See http://searchwindowsserver.techtarget.com/feature/Advanced-Kerberos-topics-From-authentication-to-authorization.