https://community.cloudera.com/t5/Archives-of-Support-Questions/Cloudera-Security-kerberos-load-on-Windows-AD/m-p/1991#M324 <P>To add to this, Cloudera Manager uses the kadmin interface to generate the service principles. Windows AD does not support the kerberos kadmin interface from my understanding. You will be better off setting up a MIT based Kdc on a linux system and then configuring cross-realm trust with your AD server.</P><P>&nbsp;</P><P>-roland</P> Wed, 02 Oct 2013 23:50:06 GMT Rolando 2013-10-02T23:50:06Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Cloudera-Security-kerberos-load-on-Windows-AD/m-p/1943#M321 <P>&nbsp;</P><P>Hi there</P><P>&nbsp;</P><P>When we implement Cloudera Manager Security with kerberos.</P><P>and we connect to our windows AD for as KDC.</P><P>&nbsp;</P><P>What will the impact / load be on the windows AD ?</P><P>&nbsp;</P><P>can i get some information/numbers about that?</P><P>&nbsp;</P><P>Thank you</P> Fri, 16 Sep 2022 08:48:26 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Cloudera-Security-kerberos-load-on-Windows-AD/m-p/1943#M321 bertbert98 2022-09-16T08:48:26Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Cloudera-Security-kerberos-load-on-Windows-AD/m-p/1981#M322 <P>It can have significant impact. &nbsp;This is why we do not document or support direct configuration against the AD server as a kerberos KDC.</P><P>&nbsp;</P><P>Todd</P> Wed, 02 Oct 2013 23:35:50 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Cloudera-Security-kerberos-load-on-Windows-AD/m-p/1981#M322 Grizzly 2013-10-02T23:35:50Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Cloudera-Security-kerberos-load-on-Windows-AD/m-p/1985#M323 <P>Make sure you "want" kerberos security configured. &nbsp;Disable NameNode HA Auto Failover and Jobtracker HA before starting. &nbsp;If HBASE is in use, you will want to review if you want to keep kerberos enabled. &nbsp;Once you enable kerberos, disabling kerberos can become a complex process as you have to go into zookeeper and remove ACL's over those znode entries, while kerberos is still enabled.</P><P>&nbsp;</P><P>Set up a your cluster KDC, on the CM server for example. &nbsp;If you are on RHEL, Follow the steps here:</P><P>&nbsp;</P><P><A target="_blank" href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Configuring_a_Kerberos_5_Server.html">https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Configuring_a_Kerberos_5_Server.html</A></P><P>&nbsp;</P><P>Make sure to enable ticket renewal in your kdc/krb4 configs right away before starting on the steps laid out in our guide to enabling hadoop security with cloudera manager</P><P>&nbsp;</P><P><A target="_blank" href="http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/latest/Configuring-Hadoop-Security-with-Cloudera-Manager/cmchs_using_cm_sec_config.html.">http://www.cloudera.com/content/cloudera-content/cloudera-docs/CM4Ent/latest/Configuring-Hadoop-Security-with-Cloudera-Manager/cmchs_using_cm_sec_config.html.</A></P> Wed, 02 Oct 2013 23:45:18 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Cloudera-Security-kerberos-load-on-Windows-AD/m-p/1985#M323 Grizzly 2013-10-02T23:45:18Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Cloudera-Security-kerberos-load-on-Windows-AD/m-p/1991#M324 <P>To add to this, Cloudera Manager uses the kadmin interface to generate the service principles. Windows AD does not support the kerberos kadmin interface from my understanding. You will be better off setting up a MIT based Kdc on a linux system and then configuring cross-realm trust with your AD server.</P><P>&nbsp;</P><P>-roland</P> Wed, 02 Oct 2013 23:50:06 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Cloudera-Security-kerberos-load-on-Windows-AD/m-p/1991#M324 Rolando 2013-10-02T23:50:06Z