Could you please clarify a couple of things with regards the Kerberos authorization needed by the CTA Frontend node (in our case it has also the cta-cli package installed)?
What exactly should be the exact service principle in /etc/cta/cta-frontend.krb5.keytab? In the K8s test instance, this keytab looks like
slot KVNO Principal
1 1 cta/cta-frontend@TEST.CTA
2 1 cta/cta-frontend@TEST.CTA
3 1 cta/cta-frontend@TEST.CTA
I thought the naming scheme for a service principal is service/hostname@realm but I can’t relate this to the above.
With regards the ctaadmin keytab, I understand that this is for authorising CTA admin commands sent to the Frontend but I cant understand how is it related with the ctafrontend service principal. Because “kinit -kt ctaadmin1.keytab ctaadmin1@TEST.CTA” results in the following credentials cache.
Default principal: ctaadmin1@TEST.CTA
Valid starting Expires Service principal
02/11/2021 20:59:43 02/12/2021 20:59:43 krbtgt/TEST.CTA@TEST.CTA
02/11/2021 20:59:53 02/12/2021 20:59:43 cta/cta-frontend@TEST.CTA
Many thanks,
George