Cloudera Community

Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.
Solved Go to solution

Kerberos KDC secondary

Labels:
avatar
author-rank arunpoy
Guru

Created on ‎06-21-2016 11:57 AM - edited ‎09-16-2022 03:26 AM

Has anyone tried to have a secondary KDC. In production definitely it is not a good approach to have the KDC as a single point of failure. any thoughts or anyone has the steps with them.

2,852 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank ewalk
Rising Star

Created ‎06-21-2016 06:45 PM

I generally recommend letting DNS handle this. The latest versions of the KRB client will default to resolving the KDC from SRV records in the DNS for the realm. This should be configured by default if you use Microsoft Active Directory (or AWS Simple AD).

If you want it explicit in your krb5.conf file, you can use DNS round robin with the A/AAA/CNAME and reference that name in krb5.conf. Further, you could have multiple "kdc" entries for a realm in krb5.conf and a master_kdc entry which is only used when there are certain kinds of issues.

You can always manage the krb5.conf from Ambari inside the Kerberos component configs.

View solution in original post

2,461 Views
0 Kudos
1 REPLY 1

avatar
author-rank ewalk
Rising Star

Created ‎06-21-2016 06:45 PM

I generally recommend letting DNS handle this. The latest versions of the KRB client will default to resolving the KDC from SRV records in the DNS for the realm. This should be configured by default if you use Microsoft Active Directory (or AWS Simple AD).

If you want it explicit in your krb5.conf file, you can use DNS round robin with the A/AAA/CNAME and reference that name in krb5.conf. Further, you could have multiple "kdc" entries for a realm in krb5.conf and a master_kdc entry which is only used when there are certain kinds of issues.

You can always manage the krb5.conf from Ambari inside the Kerberos component configs.

2,462 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Real time Monitoring for 7.1.9+ and 7.2.18+ with Cl...
What's New @ Cloudera
Announcing Cloudera Streaming Analytics 1.17: Python UDFs, S...
Community Announcements
Content Update: Evolving Our Community Content for Better, A...
Community Announcements
Product Name Updates — Community Label Changes & Notificatio...
What's New @ Cloudera
Announcing Cloudera Data Lineage for Trino
View More Announcements