Hello, We are in the process of installing a cluster which is based in IPA realm, Now the problem is we have an issue with Kerberos setup because If we have to integrate with IPA realm, cloudera user must have admin privileges but that IPA realm manages different organizations so they are not okay to give us admin privileges so they proposed to create a new OU in Active directory and then Cloudera user can have admin priv. Now my question is if my cloudera data hub is in IPA and my kerberos is setup with AD. Would it work? if so do I have to follow any extra steps to make it work or just follow cloudera doc for setting up AD with kerberos?
Please suggest me what are the pros and cons?
thanks. the problem here is we have a AD and OU being setup but the Microsoft team said that this is not a interactive login machine. If the AD machine is not interactive , Can I create principals and keytabs from Cloudera manager or command line from Cloudera manager?
If I understand your query right about manual work on principal and with your limitation authentication then you can create principal manually on your KDC and then imported. Please review customer keytab retrieval script.
As a side note, may be you can ask your AD team to change authentication and have denying local login applied.
Hope that helps.