Configuring the KDC

To authenticate users with the Kerberos tickets, SingleStore DB must be provided with a service principal name (SPN) stored in a keytab. The SPN is a unique identifier for SingleStore DB, and the keytab file contains the encrypted keys for the SingleStore DB SPN. Together, the SPN and keytab file serve as a credential for SingleStore DB that allows your cluster to automatically authenticate Kerberos users.

Your SingleStore DB deployment environment may affect the way your SPNs and keytab files are generated. For example, if you are using a load balancer in front of your SingleStore DB cluster, its SPN may need to be added to the keytab file that will be copied to each aggregator node in the cluster.

The following sections describe how to create an SPN and keytab file for KDC servers running on Unix/Linux and Windows.

Creating a Service Principal Name and Keytab File

To create a SPN for SingleStore DB, you must have sufficient permissions to access the KDC server’s terminal and to create new SPNs.


A keytab file is a credential that must be handled in a secure manner. Ensure that you always take the appropriate precautions when storing or copying a keytab file.

Unix Kerberos KDC (MIT or Heimdal)

The following steps use the kadmin command-line interface to create a SPN and keytab file on a Unix-based or Linux-based KDC server. See the kadmin documentation for more information.

To create the SPN for SingleStore DB, execute the following command, replacing with your fully-qualified domain name for the host server:

$ kadmin -q "addprinc -randkey memsql/"

You can verify that the SPN was created successfully by executing the following getprinc command:

$ kadmin -q "getprinc memsql/"

After the SingleStore DB SPN has been created, you can create the keytab file. Execute the following command, replacing /path/to/memsql.keytab with your desired output path, and with your fully-qualified domain name for the host server:

$ kadmin -q "ktadd -k /path/to/memsql.keytab memsql/"

Note the output path for the keytab file, as you will need to copy it to SingleStore DB aggregator nodes in future steps. You can verify that the keytab file was created successfully by executing the ktutil command:

$ ktutil

At the ktutil prompt, enter the path to the keytab file you just created and then list its contents:

$ ktutil: read_kt /path/to/memsql.keytab
$ ktutil: list

If the keytab was successfully added, you will see output similar to the following:

slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    3          memsql/
   2    3          memsql/

Note the KVNO value, which represents the Key Version Number (KVNO). If you create a new keytab in the future, the encryption keys stored in the older keytab will be invalidated. You can use this KVNO value to compare an older and newer keytab file for versioning purposes.

Windows Active Directory KDC

The following steps use ktpass.exe, which is a command-line tool available for Windows versions configured with Active Directory Domain Services (AD DS). When ktpass.exe is executed with the appropriate parameters, it generates a keytab file that maps an existing Active Directory user principal name (UPN) to a SingleStore DB service principal name (SPN) and allows Kerberos-authenticated users to connect to the cluster. See the ktpass.exe documentation for more information.

Execute the following command in a new command line window with Administrator permissions, replacing any placeholder values with your own:

ktpass.exe /princ memsql/ /mapuser memsqluser /pass +rndpass /out memsql.keytab /crypto all /ptype KRB5_NT_PRINCIPAL /mapop set

  • Replace with your fully-qualified domain name for the host server

  • memsqluser: Replace with the name of the Active Directory user object to bind with the SingleStore DB SPN