Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to enable trust between two KDC's with same realm and same domain names?

Highlighted

How to enable trust between two KDC's with same realm and same domain names?

Contributor

Hi,


I have two HDP clusters in different DC's with same domain name and same realm but the KDC's are different. How can i enable trust between these two KDC's ??

3 REPLIES 3

Re: How to enable trust between two KDC's with same realm and same domain names?

Guru
Hello @Rajesh Reddy,

If you have two KDC servers in the same realm and with the same domain name, then you don't really need to setup any trust between them. Ticket given by one KDC will be automatically honored in the other KDC.

Hope this helps!

Re: How to enable trust between two KDC's with same realm and same domain names?

Mentor

@Rajesh Reddy

In addition to @Vipin Rathor I had a real production of setting up an HA KDC environment which almost is the case here. You will need to create a cron job that propagates users created on KDC1 to KDC2 and vice versa. If that makes sense to you here is the procedure

My assumption:

You are running 2 working KDC's on RHEL/Centos and you have different users on both HDP clusters but want them to access services on either cluster.

Whether the krb5,conf file is managed by Ambari or not, the realm specification for your realm should look something like


CUSTOMER.COM = {
 kdc = kdc1.customer.com
 kdc = kdc2.customer.com
 master_kdc = kdc1.customer.com
}

Read carefully as this is a 2-way set up some steps have to be done on both KDC1 and KDC2 especially the crontab job should propagate in both ways as this creates the keytab from one KDC to the other.

Host keytabs must now be created for the SLAVE KDC2. Execute the following commands from the Master KDC1:

 # kadmin
 kadmin: addprinc -randkey host/kdc1.customer.com
 kadmin: addprinc -randkey host/kdc2.customer.com

Extract the host key for the Slave KDC and store it on the hosts keytab file, /etc/krb5.keytab.slave:

# kadmin: ktadd –k /etc/krb5.keytab.slave host/kdc2.customer.com

Copy /etc/krb5.keytab.slave to kdc2.customer.com and rename the file to /etc/krb5.keytab

Update /etc/services on each KDC host, if not present:

krb5_prop       754/tcp               # Kerberos slave propagation

Install xinetd on the hosts of the Master and Slave KDC, if not already installed, to enable kpropd to execute:

yum install xinetd

Create the configuration for kpropd on both the Master KDC1 and Slave KDC2 hosts:

Create /etc/xinetd.d/krb5_prop with the following contents.

service krb_prop
{
        disable         = no
        socket_type     = stream
        protocol        = tcp
        user            = root
        wait            = no
        server          = /usr/sbin/kpropd
}

Configure xinetd to run as a persistent service on both the Master and Slave KDC hosts:

# systemctl enable xinetd.service
# systemctl start xinetd.service

Copy the following files from the Master KDC host to the Slave KDC host:

/etc/krb5.conf 
/var/kerberos/krb5kdc/kadm5.acl 
/var/kerberos/krb5kdc/kdc.conf
/var/kerberos/krb5kdc/kpropd.acl
/var/kerberos/krb5kdc/.k5.CUSTOMER.HDP

Perform the initial KDC database propagation to the Slave KDC: Initially running this command by hand, you should see something similar to the following:

# kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
# kprop -d -f /usr/local/var/krb5kdc/slave_datatrans kdc2.customer.com 
3234 bytes sent. 
Database propagation to kdc2.customer.com: SUCCEEDED

The slave server will now synchronize its principal database with the master server.

The Slave KDC may be started at this time:

# systemctl enable krb5kdc 
# systemctl start krb5kdc 

Script to propagate the updates from the Master KDC to the Slave KDC. Create a cron job, or the like, to run this script on a frequent basis.

#!/bin/sh
#/var/kerberos/kdc-slave-propogate.sh
kdclist = "kdc2.customer.com"
/sbin/kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
for kdc in $kdclist
 do
   /sbin/kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc
  done

Hope that helps

Re: How to enable trust between two KDC's with same realm and same domain names?

Mentor

@Rajesh Reddy

Any updates?