Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Kerberos KDC secondary

avatar

Has anyone tried to have a secondary KDC. In production definitely it is not a good approach to have the KDC as a single point of failure. any thoughts or anyone has the steps with them.

1 ACCEPTED SOLUTION

avatar
Rising Star

I generally recommend letting DNS handle this. The latest versions of the KRB client will default to resolving the KDC from SRV records in the DNS for the realm. This should be configured by default if you use Microsoft Active Directory (or AWS Simple AD).

If you want it explicit in your krb5.conf file, you can use DNS round robin with the A/AAA/CNAME and reference that name in krb5.conf. Further, you could have multiple "kdc" entries for a realm in krb5.conf and a master_kdc entry which is only used when there are certain kinds of issues.

You can always manage the krb5.conf from Ambari inside the Kerberos component configs.

View solution in original post

1 REPLY 1

avatar
Rising Star

I generally recommend letting DNS handle this. The latest versions of the KRB client will default to resolving the KDC from SRV records in the DNS for the realm. This should be configured by default if you use Microsoft Active Directory (or AWS Simple AD).

If you want it explicit in your krb5.conf file, you can use DNS round robin with the A/AAA/CNAME and reference that name in krb5.conf. Further, you could have multiple "kdc" entries for a realm in krb5.conf and a master_kdc entry which is only used when there are certain kinds of issues.

You can always manage the krb5.conf from Ambari inside the Kerberos component configs.