Community Articles
Find and share helpful community-sourced technical articles
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Labels (1)
Community Manager

When a user runs a kinit command on host A, their ticket is stored locally on host A. From then on, each command they run uses this ticket. If they then connect to host B, they will need to run the kinit command again as the ticket will not be available in the local ticket cache (/tmp/krb5cc_1000 for example).
When a principal is created in the Key Distribution Center (KDC), it can be specified in two ways:

  • user/host@domain
  • user@domain

If a ticket is created in the first format, the user will be able to kinit *only* on the host specified so they would need one principal per host. If the second format is used, they can kinit from any host so only one principal is required.
Hadoop services use the first format because attempting to kinit with the second format simultaneously from several hosts will cause some of the requests to be rejected in order to prevent man-in-the-middle replay attacks.

So in short, it's possible to kinit on any node on the cluster, but typically not possible to kinit once and have it be used everywhere by default because the file is stored locally in /tmp/krb5cc_1000.

Kerberos ticket forwarding allows for an SSH session to pass the forwardable tickets on to the next host, which is similar to the concept of single-sign-on, but requires that all sessions are initiated to the same host in order to achieve this. Using this, a user can kinit, then when connecting via SSH to the next host, the current host will connect to the KDC to obtain the appropriate credentials which will then be written over the SSH session to the destination host's ticket cache automatically.

Note that specific configuration must be set in order for forwarding to work (for example, the KDC must issue forwardable tickets). For configuration information, consult your KDC documentation.

7,262 Views
Comments
Contributor

if ur new to kerberos ... have a look to this post http://www.roguelynn.com/words/explain-like-im-5-kerberos/

Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
2 of 2
Last update:
‎10-21-2015 02:40 PM
Updated by:
 
Contributors
Top Kudoed Authors