Support Questions
Find answers, ask questions, and share your expertise

Kerberos KDC secondary

Solved Go to solution

Kerberos KDC secondary

Has anyone tried to have a secondary KDC. In production definitely it is not a good approach to have the KDC as a single point of failure. any thoughts or anyone has the steps with them.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Kerberos KDC secondary

Contributor

I generally recommend letting DNS handle this. The latest versions of the KRB client will default to resolving the KDC from SRV records in the DNS for the realm. This should be configured by default if you use Microsoft Active Directory (or AWS Simple AD).

If you want it explicit in your krb5.conf file, you can use DNS round robin with the A/AAA/CNAME and reference that name in krb5.conf. Further, you could have multiple "kdc" entries for a realm in krb5.conf and a master_kdc entry which is only used when there are certain kinds of issues.

You can always manage the krb5.conf from Ambari inside the Kerberos component configs.

View solution in original post

1 REPLY 1

Re: Kerberos KDC secondary

Contributor

I generally recommend letting DNS handle this. The latest versions of the KRB client will default to resolving the KDC from SRV records in the DNS for the realm. This should be configured by default if you use Microsoft Active Directory (or AWS Simple AD).

If you want it explicit in your krb5.conf file, you can use DNS round robin with the A/AAA/CNAME and reference that name in krb5.conf. Further, you could have multiple "kdc" entries for a realm in krb5.conf and a master_kdc entry which is only used when there are certain kinds of issues.

You can always manage the krb5.conf from Ambari inside the Kerberos component configs.

View solution in original post