Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Realm and Domain Name

avatar
author-rank pauljoshiva
Contributor

Created ‎02-17-2021 02:59 PM

What is Realm Name and Domain name in Kerberos setup.

For example:

Ldap/AD server  FQDN: ldapserver.abc.example.com

Ambari FQDN: ambari.dev.xyz.example.com

Also, should all my nodes be in time sync with Ldap server.

3,345 Views
0 Kudos
5 REPLIES 5

avatar
author-rank nthomas author-rank
Contributor

Created ‎02-18-2021 01:01 AM

By default, the name of the realm is taken to be the DNS domain name of the server in all capital letters.
foo.example.org → EXAMPLE.ORG
foo.example.com → EXAMPLE.COM
foo.hq.example.com → HQ.EXAMPLE.COM
In some configurations, this will be sufficient, but in others, the realm name which is derived will be the name of a non-existent realm. In these cases, the mapping from the server's DNS domain name to the name of its realm must be specified in the domain_realm section of the client system's krb5.conf. For example:
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
The configuration specifies two mappings. The first mapping specifies that any system in the example.com DNS domain belongs to the EXAMPLE.COM realm. The second specifies that a system with the exact name example.com is also in the realm
Also, time should be correct/synced in all servers.
3,312 Views
0 Kudos

avatar
author-rank pauljoshiva
Contributor

Created ‎02-18-2021 10:27 AM

@nthomas thank you for your reply.

So my configuration would be:

Realm Name: ABC.EXAMPLE.COM

domain_realm:

.example.com = EXAMPLE.COM

example.com = EXAMPLE.COM

this configuration will map all my hdp nodes to this Realm correct?

All my hdp nodes (EST) should be in sync with Ldap server (UTC)

3,291 Views
0 Kudos

avatar
author-rank nthomas author-rank
Contributor

Created ‎02-19-2021 01:20 AM

Configuration should be like this:

 

Realm Name: ABC.EXAMPLE.COM

domain_realm:

.example.com = ABC.EXAMPLE.COM

example.com =  ABC.EXAMPLE.COM

Usually, the realm name should be configured when you set up AD. I would recommend checking with your AD team to get the mapping details.

Also, time should be synced.

3,253 Views
0 Kudos

avatar
author-rank pauljoshiva
Contributor

Created on ‎02-19-2021 03:45 PM - edited ‎02-19-2021 03:46 PM

Hello @nthomas ,

Please correct me if i'm wrong:

 AD domain : abc.example.com

HDP DEV domain: dev.xyz.example.com

HDP PROD domain: xyz.example.com

 

In DEV Kerberos settings:

Realm Name : ABC.EXAMPLE.COM

KDC Host : ldapserver.abc.example.com:636

Domains: .dev.xyz.example.com,dev.xyz.example.com

 

In Prod Kerberos settings:

Realm Name : ABC.EXAMPLE.COM

KDC Host : ldapserver.abc.example.com:636

Domains: .xyz.example.com,xyz.example.com

 

3,233 Views
0 Kudos

avatar
author-rank nthomas author-rank
Contributor

Created ‎02-24-2021 10:48 PM

Yeah, this should work. Also, if you want to verify the complete configuration, I would recommend contacting Cloudera technical support:

==> https://my.cloudera.com/faq/support.html

3,176 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements