Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

configuring secondary kdc in ambari

Labels:
avatar
author-rank arunpoy
Guru

Created ‎06-29-2016 09:10 PM

I have set up a primary and secondary KDC manually. I am not using any AD.

How do i specify the secondary in ambari. if it is just a primary, i can specify in ambari directly. any example or thoughts would be great.

1,029 Views
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎06-29-2016 11:03 PM

@ARUNKUMAR RAMASAMY

Assume by "secondary KDC", you either mean in a master/slave relationship or a trust relationship (where each KDC hosts its own realm)

If this is a master/slave relationship, you need to edit that krb5.conf template (under the Advanced krb5-conf tab on the Kerberos service config page) to specify the additional KDC host and (optionally) the master KDC:

[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = {{realm}}
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  #default_tgs_enctypes = {{encryption_types}}
  #default_tkt_enctypes = {{encryption_types}}
{% if domains %}
[domain_realm]
{% for domain in domains.split(',') %}
  {{domain}} = {{realm}}
{% endfor %}
{% endif %}
[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log
[realms]
  {{realm}} = {
    admin_server = {{admin_server_host|default(kdc_host, True)}}
    kdc = fqdn.slave.kdc    
    kdc = {{kdc_host}}
    master_kdc = {{kdc_host}}
  }
{# Append additional realm declarations below #}

Note the addition of the kdc and master_kdc entries in the realm definition. For the additional kdc entry, "fqdn.slave.kdc" should be change to the FQDN (and optionally port) of the slave KDC.

If this is a trust relationship, then you need to add the additional realm to the krb5.conf template (under the Advanced krb5-conf tab on the Kerberos service config page). 

[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = {{realm}}
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  #default_tgs_enctypes = {{encryption_types}}
  #default_tkt_enctypes = {{encryption_types}}

{% if domains %}
[domain_realm]
{% for domain in domains.split(',') %}
  {{domain}} = {{realm}}
{% endfor %}
{% endif %}

[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log

[realms]
  {{realm}} = {
    admin_server = {{admin_server_host|default(kdc_host, True)}}
    kdc = {{kdc_host}}
  }

{# Append additional realm declarations below #}
  ADDITONAL.REALM = {
    admin_server = FQDN.admin.server
    kdc = fqdn.kdc    
  }

Note the additional realm, named "ADDITIONAL.REALM", which should be changed to the actual realm name. Also the admin_server and kdc values need to set appropriately.

You will also want to add the additional realm to the "Additional Realms" value in the Kerberos admin page so that an entry will be created in the auto-generated auth-to-local rule sets. By editing the data on this page and saving it, I believe the configurations will be updated and you may have to restart some services. If not, you should click on the "Regenerate Keytabs" button and the configurations will be updated along with the new keytab files.

View solution in original post

665 Views
1 REPLY 1

avatar
author-rank rlevas
Guru

Created ‎06-29-2016 11:03 PM

@ARUNKUMAR RAMASAMY

Assume by "secondary KDC", you either mean in a master/slave relationship or a trust relationship (where each KDC hosts its own realm)

If this is a master/slave relationship, you need to edit that krb5.conf template (under the Advanced krb5-conf tab on the Kerberos service config page) to specify the additional KDC host and (optionally) the master KDC:

[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = {{realm}}
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  #default_tgs_enctypes = {{encryption_types}}
  #default_tkt_enctypes = {{encryption_types}}
{% if domains %}
[domain_realm]
{% for domain in domains.split(',') %}
  {{domain}} = {{realm}}
{% endfor %}
{% endif %}
[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log
[realms]
  {{realm}} = {
    admin_server = {{admin_server_host|default(kdc_host, True)}}
    kdc = fqdn.slave.kdc    
    kdc = {{kdc_host}}
    master_kdc = {{kdc_host}}
  }
{# Append additional realm declarations below #}

Note the addition of the kdc and master_kdc entries in the realm definition. For the additional kdc entry, "fqdn.slave.kdc" should be change to the FQDN (and optionally port) of the slave KDC.

If this is a trust relationship, then you need to add the additional realm to the krb5.conf template (under the Advanced krb5-conf tab on the Kerberos service config page). 

[libdefaults]
  renew_lifetime = 7d
  forwardable = true
  default_realm = {{realm}}
  ticket_lifetime = 24h
  dns_lookup_realm = false
  dns_lookup_kdc = false
  #default_tgs_enctypes = {{encryption_types}}
  #default_tkt_enctypes = {{encryption_types}}

{% if domains %}
[domain_realm]
{% for domain in domains.split(',') %}
  {{domain}} = {{realm}}
{% endfor %}
{% endif %}

[logging]
  default = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log
  kdc = FILE:/var/log/krb5kdc.log

[realms]
  {{realm}} = {
    admin_server = {{admin_server_host|default(kdc_host, True)}}
    kdc = {{kdc_host}}
  }

{# Append additional realm declarations below #}
  ADDITONAL.REALM = {
    admin_server = FQDN.admin.server
    kdc = fqdn.kdc    
  }

Note the additional realm, named "ADDITIONAL.REALM", which should be changed to the actual realm name. Also the admin_server and kdc values need to set appropriately.

You will also want to add the additional realm to the "Additional Realms" value in the Kerberos admin page so that an entry will be created in the auto-generated auth-to-local rule sets. By editing the data on this page and saving it, I believe the configurations will be updated and you may have to restart some services. If not, you should click on the "Regenerate Keytabs" button and the configurations will be updated along with the new keytab files.

666 Views
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements