Support Questions

Find answers, ask questions, and share your expertise
Celebrating as our community reaches 100,000 members! Thank you!

Active directory as Directory Service and MIT kerberos as KDC



In my environment, Hadoop nodes are integrated with AD for authentication. AD doesn't support Kerberos. I understand that it's possible to have users + user principals serviced by AD and have only service principals serviced by a local KDC. Question is, is it possible to set up a local KDC server for both service and user principals but actual users will reside in AD ? So, I will need to host kerberos principals and manage tickets of AD users in local KDC. AD user realm and KDC realm will also be different.

Any help would be appreciated 🙂


@tuxnet, please clarify what you mean by "AD doesn't support Kerberos". AD does in fact use Kerberos for authentication under the covers.

When a separate MIT-KDC is used, the usual design is to use it to store the host and service principals associated with the Hadoop cluster. The user principals are stored in AD, and a one-way trust is established between the AD domain and the MIT-KDC realm so that users in AD can access cluster services (but not the other way around).

This HCC article discusses one-way trusts between MIT-KDC and AD.

View solution in original post


Expert Contributor

If the AD is not providing Kerberos service to the hosts in the cluster (as stated in the question) then there is not chance of the user requesting any TGT from the AD KDC. In that case AD may only be used as an LDAP users identity provider.