Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

AD users with Kerberos for multiple clusters (Prod and DR)

avatar
Contributor

I am working on Kerberos with AD (no local KDC) integration for multiple Hadoop clusters (Prod and DR). The goal is to have all users and service principals reside in the corporate AD. Would I need to create two separate groups of users and service ids for each cluster? The idea is to have a single userid to be able to login into Prod or DR cluster depending which one is active.

When setting up the Prod cluster with Kerberos via Ambari it will generate all necessary principals and keytabs. What happens when the second cluster (DR) needs to be configured for Kerberos? Does Ambari know that all principals already exist? or will it try to regenerate?

1 ACCEPTED SOLUTION

avatar
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
3 REPLIES 3

avatar
hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login

avatar
Rising Star

Hi @dbaev, I would like to have the same scenario. 2 clusters but using the same AD and also with kerberos. How was your experience? Did you find any problems?

Thanks,

avatar
New Contributor

Hi!

In the case both clusters will be configured to use a DellEMC ISILON.

On Installation Guide have a config step to remove the "-${CLUSTER_NAME}".

How to proceed in this case?

Will be possible both cluster in the same AD Domain (realm)?

From Installation Guide "Isilon-OneFS-With-Hadoop-and-Hortonworks-for-Kerberos-Installation-Guide"

"Click the General tab and configure the Apache Ambari user principals as shown in the next table. Remove -${cluster-name} from the default value and change to a value as shown in the Required value column so that it matches the service account names (users) that you created during the initial configuration of your Isilon OneFS cluster for use with Ambari and Hortonworks."