How can I update the cross-realm trust principal password for an existing Amazon EMR cluster?

Last updated: 2020-03-04

I set up cross-realm trust with an Active Directory domain on a Kerberized Amazon EMR cluster. I need to change the principal password. How do I do that?

Resolution

Amazon EMR creates a krbtgt principal using the cross-realm trust principal password that you specify at cluster launch. This principal is stored in the key distribution center (KDC) on the master node. It looks like this:

krbtgt/ADTrustRealm@KerberosRealm

To update the cross-realm trust principal password:

1.    Connect to the master node using SSH.

2.    Open the kadmin.local tool:

sudo kadmin.local

3.    List all principals to find the principal that you want to update (for example, krbtgt/MYADDOMAIN.COM@MYEMRDOMAIN.COM):

list_principals

4.    Run the following command to update the password for the cross-realm trust principal. In the following example, replace krbtgt/MYADDOMAIN.COM@MYEMRDOMAIN.COM with your principal.

change_password krbtgt/MYADDOMAIN.COM@MYEMRDOMAIN.COM

5.    Exit the kadmin.local tool:

exit

6.    To confirm that the new password works, obtain a Kerberos ticket for an Active Directory user and then list HDFS files. Example:

kinit myaduser@MYADDOMAIN.COM
hdfs dfs -ls /tmp