I am trying to enable Kerberos on a cluster of Ubuntu 16.04.3 LTS servers. All of the nodes are already joined to a Windows domain. I used PowerBroker for that. Is it still possible to turn on Kerberos for the cluster when they are already joined to a domain?
I am using the MIT KDC since our corp office is not willing to deal with the ldaps. Whenever I try to turn kerberos on I get the error that it fails to find the KDC for the realm. However, it is showing my Windows domain and not the realm that I made.
I may be way off since I am still getting to know kerberos, but any help would be appreciated
Please find below link, it may be helpful. (Try other option with the same realm on KDC as domain name)
I believe you would need to remove them from AD if you don't want to use the AD KDC to kerberize the cluster. The krb5.conf should be managed by either Power Broker or Ambari, not both, and the krb5.conf configuration is going to have to resolve a particular KDC for the host.
That is, if you want Ambari to manage the keytabs and principals. Another option would be to use the manual option in Ambari, and use the AD endpoint as the KDC. Ambari would be connecting over LDAPS to create the principals if done in the automated fashion, but you could also create these principals manually in AD
True, it wouldn't have created the service principals specifically for Hadoop. Those would have to be added to AD manually if you can't use Ambari to automatically create them.