Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to configure additional AD server(HA) in kerberized cluster through Ambari in HDP 2.4.2

Highlighted

How to configure additional AD server(HA) in kerberized cluster through Ambari in HDP 2.4.2

Contributor

Hi Team,

Can I configure an additional AD in kerberized cluster through ambari as I am using HDP-2.4.2 with Ambari-2.2.2 ??

The reason I am asking this is because, in case the first AD server goes down, then the hadoop services should be able to kinit with the additional AD server. Otherwise we are blocked and have to wait until the AD server is accessible.

Any thoughts?

Thanks,

Rahul

7 REPLIES 7
Highlighted

Re: How to configure additional AD server(HA) in kerberized cluster through Ambari in HDP 2.4.2

@Rahul Buragohain

You can configure multiple Active Directories. In Ambari 2.2.2 you need to do this manually, however in Ambari 2.4.0 and above you can specify a list of KDCs (or Active Directories) when enabling Kerberos.

Assuming Ambari is managing your krb5.conf file... Before Ambari 2.4.0 (including Ambari 2.2.2), you will need to edit the krb5.conf template in the Kerberos service configuration page. To do this, open the Advanced krb5-conf section of the configuration editor and look for the "krb5-conf template" text area. The default value will look something like

[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = {{realm}}
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  #default_tgs_enctypes = {{encryption_types}}
  #default_tkt_enctypes = {{encryption_types}}
{% if domains %}
[domain_realm]
{% for domain in domains.split(',') %}
  {{domain}} = {{realm}}
{% endfor %}
{% endif %}
[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log
[realms]
  {{realm}} = {
    admin_server = {{admin_server_host|default(kdc_host, True)}}
    kdc = {{kdc_host}}
  }
{# Append additional realm declarations below #}

You will want to add an additional "kdc" entry under the "{{realm}}" section. That entry should look something like:

kdc = backupad.example.com

For example:

[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = {{realm}}
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  #default_tgs_enctypes = {{encryption_types}}
  #default_tkt_enctypes = {{encryption_types}}
{% if domains %}
[domain_realm]
{% for domain in domains.split(',') %}
  {{domain}} = {{realm}}
{% endfor %}
{% endif %}
[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log
[realms]
  {{realm}} = {
    admin_server = {{admin_server_host|default(kdc_host, True)}}
    kdc = {{kdc_host}}
    kdc = backupad.example.com  
}
{# Append additional realm declarations below #}

After saving this and restarting the Kerberos service, the krb5.conf files on the hosts of the cluster will be updated to reflect this and will then be able to use that additional KDC or Active Directory if necessary.

Optionally, you can also add a "master_kdc" attribute to specify which of the listed KDCs is the master and should be contacted in the even a password mismatch occurs when validating a principal's password. See http://web.mit.edu/kerberos/krb5-1.13/doc/admin/conf_files/krb5_conf.html for more information on the properties that can be set in this template.

Highlighted

Re: How to configure additional AD server(HA) in kerberized cluster through Ambari in HDP 2.4.2

Contributor

@Robert Levas

Hi Robert,

Thanks a lot for the detailed information. I will implement this and let you know if I face any issue.

Thanks,

Rahul

Highlighted

Re: How to configure additional AD server(HA) in kerberized cluster through Ambari in HDP 2.4.2

Contributor

@Robert Levas

Hi Robert,

I configured the back up AD server in advanced-krb5 section in ambari and then restarted the kerberos service. I am able to do kinit from my user, but I get alerts in hdfs and hive as both are not able to kinit to backup AD server. Even hadoop fs -ls / shows listing of files from HDFS but it takes nearly about 30-40 seconds to get executed.

Thanks,

Rahul

Highlighted

Re: How to configure additional AD server(HA) in kerberized cluster through Ambari in HDP 2.4.2

Are both AD servers up and reachable by the hosts in the cluster? Maybe one is down or DNS isn't resolving properly causing a delay due to connection timeouts?

Highlighted

Re: How to configure additional AD server(HA) in kerberized cluster through Ambari in HDP 2.4.2

Contributor

@Robert Levas

Yes the primary AD server was down. Lets have the scenario as first primary AD went down due to network maintenance and then the secondary AD should work. DNS is replicated form the primary AD server. So DNS is able to resolve properly as DNS is configured in both primary and secondary AD servers. I also added the secondary AD IP in /etc/resolv.conf file in all the nodes and made the entry in DNS servers too. But still the issue persists. Any other solution??

Highlighted

Re: How to configure additional AD server(HA) in kerberized cluster through Ambari in HDP 2.4.2

This seems like normal network timeout issues. For example how long will ssh or telnet take to determine that the host with AD is down? This will be the same for accessing the host to contact the KDC.

Re: How to configure additional AD server(HA) in kerberized cluster through Ambari in HDP 2.4.2

Contributor

@Robert Levas

Hi Robert,

ssh and telnet happens faster to second AD when the first AD is down.

Don't have an account?
Coming from Hortonworks? Activate your account here