Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Switch from MIT Kerberos auth to AD Auth

Switch from MIT Kerberos auth to AD Auth

Explorer

Hello,

In our Cluster we have MIT Kerberos authentication enabled, we would like to move to AD Authentication, would appreciate if someone could share best practices / documents / how to etc, on how to move forward on this and what changes would be required in order to achieve this mission.

 

Regards

Amn

3 REPLIES 3
Highlighted

Re: Switch from MIT Kerberos auth to AD Auth

Contributor

@Amn_468 

 

On a high level below are the steps:

 

Use Cloudera Manager to manage and distribute the krb5.conf that the CDH needs for requesting Kerberos tickets.

Here are the recommended steps:

  1. Shutdown the CDH services
  2. Shutdown the Cloudera Manager Management services
  3. Walkthrough the steps for configuring direct to AD integration
  4. Regenerate all the principals
  5. Distribute the new krb5.conf (which has AD realm information)
  6. Start the Cloudera Manager Management services
  7. Start the CDH Services

 

Also, review below docs:

Enabling Kerberos Authentication for CDH

https://docs.cloudera.com/documentation/enterprise/latest/topics/cm_sg_intro_kerb.html?scroll=xd_583...

 

I hope this helps.

 

Thanks,

Tarun

Was your question answered? Make sure to mark the answer as the accepted solution.

If you find a reply useful, say thanks by clicking on the thumbs up button.

Highlighted

Re: Switch from MIT Kerberos auth to AD Auth

Explorer

Hi @tjangid 

 

Thanks for your reply, in my previous post I incorrectly mentioned that we want to move from MIT Kerberos to AD, whereas, we currently have MIT Kerberos (local) working in our cluster and we need that to be integrated with AD.

So basically I am looking to find / get some detailed steps / guides on how to get this done. I have come across some blogs regarding one-way cross-realm trust etc, and a bit confused on these.

 

Appreciate any help in this regard

 

Thanks 

 

Highlighted

Re: Switch from MIT Kerberos auth to AD Auth

Cloudera Employee

If you need to switch to AD based kerberos from MIT, then the following things need to happen:

  1. Get a OU designated for Cloudera Service principals to be created
  2. Then get a admin user account such as svc-cloudera@REALM that can create/delete/modify the service accounts in the OU designated for Cloudera, it needs to have full permission on that OU
  3. Now go to CM >>Administration >> Security >> Kerberos Credentials >> Configuration and edit the config to make the switch
  4. What needs to be changed/added :
    • KDC TYPE
    • Edit the Active Directory Suffix to specify the OU you created for the service accounts
    • Enable this 'Active Directory Delete Accounts on Credential Regeneration'
    • Enable this 'Active Directory Set Encryption Types'
    • Make sure that the setting 'Active Directory Password Properties' satisfies your AD password restriction
    • Kerberos Security Realm needs to be same as your domain but in UPPER CASE
    • KDC Server Host needs to have the AD host. Don't use the load balanced domain controller
  5. Then save the changes. Go back to Kerberos Credentials page and click on 'Generate Missing Credentials
  6. Make sure that the principals now match the AD REALM and also have the AD team check if the principals appear in the OU allotted for this cluster

 

 

Don't have an account?
Coming from Hortonworks? Activate your account here