Created on 04-25-2016 11:56 AM - edited 09-16-2022 03:15 AM
How does Kerberos work ? Do we have to integrate it with our Existing AD ? Is this how it is able to identify users ? Can we have both AD/LDAP and Kerberos authentication seperately ?
All these questions came to my mind when I was following this installation document. There is an option to use existing AD as KDC. So does this mean it is using AD authentication? I would be very grateful, if some one could help me on this.
Does AD(KDC) has to be present in same machine I am enabling Kerberos ?
Created 04-25-2016 01:48 PM
Just to clarify answers from @Benjamin Leonhardi...
How does Kerberos work?
This is a relatively open ended question. If the answers provided do not answer this, please clarify what about Kerberos you are looking for - as related to Ambari, in general, etc...
Do we have to integrate it with our Existing AD?
You do not need use your existing Active Directory. However of you have accounts in there that you want to utilize in the Ambari cluster, then you will want to either have Ambari integrate with that AD directly or indirectly (via a trust relationship with an MIT KDC).
Is this how it is able to identify users?
Ambari, itself, does not use Kerberos as an authentication mechanism - it uses usernames and passwords. However, most of the services can be configured to use Kerberos to identify users.
Can we have both AD/LDAP and Kerberos authentication seperately?
I believe that only a few services can use LDAP for authentication, where most use Kerberos. So you would probably choose Kerberos over LDAP for access to services. However, access to Ambari can use LDAP and does not use Kerberos for authentication. Therefore, you would probably consider using both if you wanted your users stored in the Active Directory to have access to Ambari and its views.
There is an option to use existing AD as KDC. So does this mean it is using AD authentication?
Active Directory has several interfaces that may be used for authentication. Two of them are LDAP and Kerberos. Both protocols allow for authentication; however the LDAP interface can be used to query for additional information such as group membership, email addresses, and (first and last) names. With this, I am not sure what is meant by "AD authentication"; but the Active Directory, with out modification, can be used by Ambari and the services in the cluster for authentication.
Does AD(KDC) has to be present in same machine I am enabling Kerberos?
The KDC (or Active Directory) does not need to be on the same machine as Ambari or any service. It just needs to be accessible via the network to all hosts in the cluster.
Created 04-25-2016 12:15 PM
I think this thread gave a good overview here. There are four separate things that need to be done. You need to distinguish Kerberos principals and normal users ( ldap, local ) for service users and application users.
https://community.hortonworks.com/questions/26894/hadoop-security-1.html#answer-26922
""There is an option to use existing AD as KDC. So does this mean it is using AD authentication? I would be very grateful, if some one could help me on this."
Basically yes. You need to create a service user OU in AD,then provide ambari with an admin user for that OU Ambari would then create the service user principals extract the keytabs and distribute them in the cluster. Separately you need to configure Linux/AD connection for local users ( SSSD normally ).
"Does AD(KDC) has to be present in same machine I am enabling Kerberos ?"
I mean you need to be able to access the AD server, you need to have SSSD configuration for Linux and your cluster needs to join the KDC REALM, ( the latter will be done by ambari )
Created 04-25-2016 01:48 PM
Just to clarify answers from @Benjamin Leonhardi...
How does Kerberos work?
This is a relatively open ended question. If the answers provided do not answer this, please clarify what about Kerberos you are looking for - as related to Ambari, in general, etc...
Do we have to integrate it with our Existing AD?
You do not need use your existing Active Directory. However of you have accounts in there that you want to utilize in the Ambari cluster, then you will want to either have Ambari integrate with that AD directly or indirectly (via a trust relationship with an MIT KDC).
Is this how it is able to identify users?
Ambari, itself, does not use Kerberos as an authentication mechanism - it uses usernames and passwords. However, most of the services can be configured to use Kerberos to identify users.
Can we have both AD/LDAP and Kerberos authentication seperately?
I believe that only a few services can use LDAP for authentication, where most use Kerberos. So you would probably choose Kerberos over LDAP for access to services. However, access to Ambari can use LDAP and does not use Kerberos for authentication. Therefore, you would probably consider using both if you wanted your users stored in the Active Directory to have access to Ambari and its views.
There is an option to use existing AD as KDC. So does this mean it is using AD authentication?
Active Directory has several interfaces that may be used for authentication. Two of them are LDAP and Kerberos. Both protocols allow for authentication; however the LDAP interface can be used to query for additional information such as group membership, email addresses, and (first and last) names. With this, I am not sure what is meant by "AD authentication"; but the Active Directory, with out modification, can be used by Ambari and the services in the cluster for authentication.
Does AD(KDC) has to be present in same machine I am enabling Kerberos?
The KDC (or Active Directory) does not need to be on the same machine as Ambari or any service. It just needs to be accessible via the network to all hosts in the cluster.
Created 04-28-2016 06:26 AM
Thanks Robert. Regarding this Question How does Kerberos work?, could you please answer it here.