Support Questions
Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Advanced Search

Switch from MIT Kerberos auth to AD Auth

Highlighted

Switch from MIT Kerberos auth to AD Auth

Amn_468
Explorer

Created on ‎06-05-2020 02:42 AM - last edited on ‎06-05-2020 05:13 AM by Community Manager VidyaSargur Community Manager

Hello,

In our Cluster we have MIT Kerberos authentication enabled, we would like to move to AD Authentication, would appreciate if someone could share best practices / documents / how to etc, on how to move forward on this and what changes would be required in order to achieve this mission.

 

Regards

Amn

Reply
311 Views
0 Kudos
3 REPLIES 3

Re: Switch from MIT Kerberos auth to AD Auth

tjangid
Contributor

Created ‎06-05-2020 06:35 AM

@Amn_468 

 

On a high level below are the steps:

 

Use Cloudera Manager to manage and distribute the krb5.conf that the CDH needs for requesting Kerberos tickets.

Here are the recommended steps:

  1. Shutdown the CDH services
  2. Shutdown the Cloudera Manager Management services
  3. Walkthrough the steps for configuring direct to AD integration
  4. Regenerate all the principals
  5. Distribute the new krb5.conf (which has AD realm information)
  6. Start the Cloudera Manager Management services
  7. Start the CDH Services

 

Also, review below docs:

Enabling Kerberos Authentication for CDH

https://docs.cloudera.com/documentation/enterprise/latest/topics/cm_sg_intro_kerb.html?scroll=xd_583...

 

I hope this helps.

 

Thanks,

Tarun

Was your question answered? Make sure to mark the answer as the accepted solution.

If you find a reply useful, say thanks by clicking on the thumbs up button.

Reply
296 Views
0 Kudos
Highlighted

Re: Switch from MIT Kerberos auth to AD Auth

Amn_468
Explorer

Created ‎06-17-2020 10:42 PM

Hi @tjangid 

 

Thanks for your reply, in my previous post I incorrectly mentioned that we want to move from MIT Kerberos to AD, whereas, we currently have MIT Kerberos (local) working in our cluster and we need that to be integrated with AD.

So basically I am looking to find / get some detailed steps / guides on how to get this done. I have come across some blogs regarding one-way cross-realm trust etc, and a bit confused on these.

 

Appreciate any help in this regard

 

Thanks 

 

Reply
258 Views
0 Kudos
Highlighted

Re: Switch from MIT Kerberos auth to AD Auth

mvenkataraman
Cloudera Employee

Created ‎07-16-2020 05:44 PM

If you need to switch to AD based kerberos from MIT, then the following things need to happen:

  1. Get a OU designated for Cloudera Service principals to be created
  2. Then get a admin user account such as svc-cloudera@REALM that can create/delete/modify the service accounts in the OU designated for Cloudera, it needs to have full permission on that OU
  3. Now go to CM >>Administration >> Security >> Kerberos Credentials >> Configuration and edit the config to make the switch
  4. What needs to be changed/added :
    • KDC TYPE
    • Edit the Active Directory Suffix to specify the OU you created for the service accounts
    • Enable this 'Active Directory Delete Accounts on Credential Regeneration'
    • Enable this 'Active Directory Set Encryption Types'
    • Make sure that the setting 'Active Directory Password Properties' satisfies your AD password restriction
    • Kerberos Security Realm needs to be same as your domain but in UPPER CASE
    • KDC Server Host needs to have the AD host. Don't use the load balanced domain controller
  5. Then save the changes. Go back to Kerberos Credentials page and click on 'Generate Missing Credentials
  6. Make sure that the principals now match the AD REALM and also have the AD team check if the principals appear in the OU allotted for this cluster

 

 

Reply
210 Views
0 Kudos
Don't have an account?
Register