Support Questions

Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Kerberos Configuration: 2 clusters same OU in AD


Hi everybody,


I've a Kerberized cluster bound to the Corporate Active Directory and all the service principals are created in a specific OU.


My question is, 

If i want to inizialize a new cluster (with a separate ClouderaManager) i can use the same OU that i've used for the first cluster ?



Is not recomended ? there are drawbacks ?


Thank you so much,




Super Guru



Indeed, you can use the same subtree (OU, for example) to store the cluster credentials for several clusters.  Each Cloudera manager will create/delete the ones that apply to the hosts and services that are managed by it.  One way to distinguish each one is to use the Active Directory Account Prefix configuration in Administration --> Settings --> Kerberos.  It allows you to set an arbitrary prefix for the CN value of any entries created for that cluster.  This will let you distinguish one cluster's principal objects from the others.


Although the above will work, I do recommend using seperate subtrees to store each cluster's principals. It is easier to manage and allows you to more easily define security where the AD user CM uses to add/delete principals can only act on its own principal objects.


In summary, there isn't a functional difference for each Cluster's Cloudera Manager if you store all the clusters' principals in one place, but it might be simpler to manage the objects if they are separate.  Using the Active Directory Account prefix will also help you in distinguishing which principal object belongs to which cluster.



Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.