Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Can kerberos kdc be configured with a vip for HA/loadbalancing purposes?

Labels:
avatar
author-rank wgonzalez
Guru

Created ‎10-14-2015 01:29 PM

While trying to configure kdc with a Virtual IP, we are getting the below error 

Could not find user in Kerberos database

Ambari fails the install.

VIP is needed for loadbalancing and HA.

When single node IP is used for kdc, then the install is successful.

4,871 Views
1 ACCEPTED SOLUTION

avatar
author-rank pcodding author-rank
Guru

Created ‎10-14-2015 02:14 PM

I'm working on adding an (Optional) step in this doc: http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.0/bk_Ambari_Security_Guide/content/_launching_...that mentions how to alter the Advanced krb5-conf template to include another kdc entry. That's all you need to do to @hkropp's point is mention each individual KDC and the Kerberos client will deal with failover in the event one is unavailable. Something like this:

kdc = {{kdc_host}}
kdc = host2.hortonworks.local
kdc = host3.hortonworks.local

The {{kdc_host}} is substituted for the host that you have configured in the KDC Host input field. In future versions we'll make this KDC Hosts (comma-separated) to make it easier.

View solution in original post

2,998 Views
5 REPLIES 5

avatar
author-rank hkropp
Super Collaborator

Created ‎10-14-2015 01:49 PM

I don't think a VIP is necessary, in your krb5.conf you simply set multiple kdc entries. For admin kdc just one. I think only master slave model is possible with MIT Kerberos. See here for sample: http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html#sample-krb5-conf-file

As changes to the kdc are rare, as you will not add people users to the project every day, as simple sync between two kdc is sufficient as is the Master Slave model.

2,998 Views

avatar
author-rank pcodding author-rank
Guru

Created ‎10-14-2015 02:14 PM

I'm working on adding an (Optional) step in this doc: http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.2.0/bk_Ambari_Security_Guide/content/_launching_...that mentions how to alter the Advanced krb5-conf template to include another kdc entry. That's all you need to do to @hkropp's point is mention each individual KDC and the Kerberos client will deal with failover in the event one is unavailable. Something like this:

kdc = {{kdc_host}}
kdc = host2.hortonworks.local
kdc = host3.hortonworks.local

The {{kdc_host}} is substituted for the host that you have configured in the KDC Host input field. In future versions we'll make this KDC Hosts (comma-separated) to make it easier.

2,999 Views

avatar
author-rank nsabharwal
Master Mentor

Created ‎01-31-2016 03:41 PM

Thanks @Paul Codding for taking care of this...very helpful to have in official docs.

2,998 Views
0 Kudos

avatar
author-rank wgonzalez
Guru

Created ‎10-19-2015 10:10 PM

Sorry, my question had a 2 part. Sorry I did not make that clear.

Setting up different kdcs as suggested above works for configuration and HA.

However, the user wants to configure a kdc with a load balancer to ease up the traffic.

if 2 kdcs are setup, then users can still connect to the heavy used one instead of being redirected to the idle one via loadbalancer. Does this make sense?

2,998 Views
0 Kudos

avatar
author-rank nsabharwal
Master Mentor

Created ‎01-31-2016 03:40 PM

@William Gonzalez Thanks for raising this!!

2,998 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements