Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Enable Kerberos on domain joined computer

Highlighted

Enable Kerberos on domain joined computer

Hello,

I am trying to enable Kerberos on a cluster of Ubuntu 16.04.3 LTS servers. All of the nodes are already joined to a Windows domain. I used PowerBroker for that. Is it still possible to turn on Kerberos for the cluster when they are already joined to a domain?

I am using the MIT KDC since our corp office is not willing to deal with the ldaps. Whenever I try to turn kerberos on I get the error that it fails to find the KDC for the realm. However, it is showing my Windows domain and not the realm that I made.

I may be way off since I am still getting to know kerberos, but any help would be appreciated

4 REPLIES 4

Re: Enable Kerberos on domain joined computer

Contributor

@David Williamson

Please find below link, it may be helpful. (Try other option with the same realm on KDC as domain name)

https://hortonworks.com/blog/enabling-kerberos-hdp-active-directory-integration/

Highlighted

Re: Enable Kerberos on domain joined computer

I believe you would need to remove them from AD if you don't want to use the AD KDC to kerberize the cluster. The krb5.conf should be managed by either Power Broker or Ambari, not both, and the krb5.conf configuration is going to have to resolve a particular KDC for the host.

That is, if you want Ambari to manage the keytabs and principals. Another option would be to use the manual option in Ambari, and use the AD endpoint as the KDC. Ambari would be connecting over LDAPS to create the principals if done in the automated fashion, but you could also create these principals manually in AD

Highlighted

Re: Enable Kerberos on domain joined computer

@slachterman When I joined the machines to the domain with Power Broker it did not make any of the principals in AD

Highlighted

Re: Enable Kerberos on domain joined computer

True, it wouldn't have created the service principals specifically for Hadoop. Those would have to be added to AD manually if you can't use Ambari to automatically create them.

Don't have an account?
Coming from Hortonworks? Activate your account here