Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Active directory as Directory Service and MIT kerberos as KDC

Labels:
avatar
author-rank priyanxmail
Rising Star

Created on ‎05-08-2017 02:39 PM - edited ‎09-16-2022 04:34 AM

Hi,

In my environment, Hadoop nodes are integrated with AD for authentication. AD doesn't support Kerberos. I understand that it's possible to have users + user principals serviced by AD and have only service principals serviced by a local KDC. Question is, is it possible to set up a local KDC server for both service and user principals but actual users will reside in AD ? So, I will need to host kerberos principals and manage tickets of AD users in local KDC. AD user realm and KDC realm will also be different.

Any help would be appreciated 🙂

8,962 Views
0
1 ACCEPTED SOLUTION

avatar
author-rank slachterman
Guru

Created ‎05-08-2017 04:16 PM

@tuxnet, please clarify what you mean by "AD doesn't support Kerberos". AD does in fact use Kerberos for authentication under the covers.

When a separate MIT-KDC is used, the usual design is to use it to store the host and service principals associated with the Hadoop cluster. The user principals are stored in AD, and a one-way trust is established between the AD domain and the MIT-KDC realm so that users in AD can access cluster services (but not the other way around).

This HCC article discusses one-way trusts between MIT-KDC and AD.

View solution in original post

6,821 Views
0
10 REPLIES 10

avatar
author-rank lvazquez
Expert Contributor

Created ‎08-31-2018 02:47 AM

If the AD is not providing Kerberos service to the hosts in the cluster (as stated in the question) then there is not chance of the user requesting any TGT from the AD KDC. In that case AD may only be used as an LDAP users identity provider.

1,872 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements