Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

How to setup High Availability for kerberos

Solved Go to solution
Highlighted

How to setup High Availability for kerberos

Explorer

I want to use High Availability for kerberos.

If anyone have the method, Please give me the infomation.

Regards,

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: How to setup High Availability for kerberos

@Hiroshi Shidara

Your question is a bit broad. Are you looking to set up a KDC (or Active Directory) for high availability or configure Ambari to connect to replicated KDCs or Active Directories?

If you are looking to set up a replicated KDC, this is probably not the forum for that. However if you are setting up an MIT KDC, you can following docs from https://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html.

From the Ambari side, as of Ambari 2.4.0, you can specify multiple KDC hosts to be set in the Ambari-managed krb5.conf file. Also, you will want to set the master_kdc value for the realm. There is a field in the Enable Kerberos Wizard in Ambari 2.5.1 and above for this (Advanced kerberos-env -> Master KDC host) or you can manually add it to the krb5.conf template under "Advanced krb5-conf".

Whether the krb5,conf file is managed by Ambari or not, the realm specification for your realm should look something like

    EXAMPLE.COM = {
        kdc = kdc1.example.com
        kdc = kdc2.example.com
        master_kdc = kdc1.example.com
    }

View solution in original post

6 REPLIES 6
Highlighted

Re: How to setup High Availability for kerberos

Super Mentor

@Hiroshi Shidara

From Ambari 2.4 onwards you can define "kdc_hosts" which can have comma separated values for KDC : https://issues.apache.org/jira/browse/AMBARI-13240

Apache Ambari Docs: https://cwiki.apache.org/confluence/display/AMBARI/Automated+Kerberizaton#AutomatedKerberizaton-kdc_...

.

Highlighted

Re: How to setup High Availability for kerberos

Explorer

@Jay SenSharma

Thank you for your infomation and the document.

I refer to it.

Highlighted

Re: How to setup High Availability for kerberos

@Hiroshi Shidara

Your question is a bit broad. Are you looking to set up a KDC (or Active Directory) for high availability or configure Ambari to connect to replicated KDCs or Active Directories?

If you are looking to set up a replicated KDC, this is probably not the forum for that. However if you are setting up an MIT KDC, you can following docs from https://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html.

From the Ambari side, as of Ambari 2.4.0, you can specify multiple KDC hosts to be set in the Ambari-managed krb5.conf file. Also, you will want to set the master_kdc value for the realm. There is a field in the Enable Kerberos Wizard in Ambari 2.5.1 and above for this (Advanced kerberos-env -> Master KDC host) or you can manually add it to the krb5.conf template under "Advanced krb5-conf".

Whether the krb5,conf file is managed by Ambari or not, the realm specification for your realm should look something like

    EXAMPLE.COM = {
        kdc = kdc1.example.com
        kdc = kdc2.example.com
        master_kdc = kdc1.example.com
    }

View solution in original post

Highlighted

Re: How to setup High Availability for kerberos

Explorer

Hi Robert,

Could you please clarify me some doubts.

I have installed kerberos in my cluster and its working fine.

Now i have to enable HA for Kerberos so as per my understanding I should install KDC in another server which acts as Standby and then I should update krb5.conf file on both servers as mentioned above.

Is my understanding correct? if not could you please guide me through the steps to enable HA.


Kind Regards,

Manjunath P N

Highlighted

Re: How to setup High Availability for kerberos

@Manjunath P N. I am not sure of all the steps, but they should be outlined here - https://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html.


Re: How to setup High Availability for kerberos

Explorer

@Robert Levas

@Jay Sensharma

Thank you for your infomation.

We will try the practice.

Don't have an account?
Coming from Hortonworks? Activate your account here