Support Questions
Find answers, ask questions, and share your expertise

Host Domains in Active Directory with MIT KDC integration

Host Domains in Active Directory with MIT KDC integration

Expert Contributor

I'm trying to configure HDP security by integrating Active Directory for users authentication and MIT Kerberos KDC for HDP services. I have already read and followed the following reference documents:

I've also checked the official HDP course on Operation Security and it's of not much help. The information in this topic is very partial, confuse (mixes the KDC+AD case with the pure AD one) and only gives a real example for the pure AD case.

In order to configure user authentication on the HDP Linux nodes I followed the SSSD AD with realmd docs (mostly from RedHat) and, based on this, I used as domains for the nodes in the cluster the AD Domain (let's say AD.COM).

This is working perfect, but now, when I follow the referenced documents to kerberize the cluster with the MIT KDC it has to be configured with a different, let's say HDP.COM, domain/realm. My krb5.conf with the combined REALM's is as follow (excluding irrelevant options) as suggested in the previous guides:

 dns_lookup_realm = false
 dns_lookup_kdc = false
 rdns = false
 default_realm = HDP.COM
 udp_preference_limit = 1

 HDP.COM = {
  kdc =
  admin_server =
 AD.COM = {
  kdc =
  admin_server =
[domain_realm] = HDP.COM = HDP.COM = AD.COM = AD.COM

I have also created/configured the cross-real trust account krbtgt/HDP.COM@AD.COM both in the KDC and in the AD as described in the documents. My problem with this approach, is that as I have my HDP nodes configured with hostnames in the AD.COM domain/realm:,,

I think that with the previous configuration; using HDP.COM as default realm and mapping the domain of the HDP hosts to the realm AD.COM instead of HDP.COM the Ambari kerberization will not work because the host principals will be mapped to the Active Directory and not the Hadoop local KDC.

So my doubts and questions before proceeding with the kerberization against the HDP.COM Unix MIT KDC server are:

  1. Do I have to change the domains in the FQDN of all the HDP nodes to the local KDC REALM's domain instead of the Active Directory one?
  2. Will SSSD with AD authentication keep working even when the host's domains doesn't belong to AD's domain? I know in that case I would have to remove and re-register each host to AD using the new hostname.
  3. There is some way of making this work using the Active Directory ( domain in the cluster's hosts as I currently have?

I hope someone has faced this problems previously and may give me some hints or suggestions.

Thanks a lot in advance.