03-04-2017 08:17 AM
I have two kerberosed clusters (both using local MIT KDC), but both have the same realm name, like EXAMPLE.COM. I want to do the distcp between the clusters. I know the best practice is to have a different realm name for these two clusters. There are a lot of articles or blogs discussing the configuration of cross-realm trust. But I couldn't find anywhere about how to build up the trust using the similar way like cross-realm trust. I am thinking creating a principle like ABC@EXAMPLE.COM and create it in both KDC with the same password. Also add kdc and admin servers from other cluster to the local cluster's krb5.conf file. Not sure whether this is the right approach or not. Has anyone done this kind of configuration before?
07-24-2018 04:06 AM
Did you get this sorted?
I thought the idea was that they were supposed to be in the same realm.
Personally I am being told by the Cloudera Backup BDR tool that I have two different KDCs when I don't, AFAIK.
07-24-2018 12:21 PM
Since this thread is old and you are using BDR which handles Kerberos much differently than hadoop distcp, please start a new thread and present what you are trying to do and what happens when you try. Include any error messages or log messages and a screen shot or two if you can to help clarify what you are facing.
There is no requirement that two different clusters use the same realm. In fact, a bit more care in configuring krb5.conf and auth_to_local may be required in order to get replication between two clusters in the same realm to work properly.