I have edge node in different realm and data node is in different real , kerberos is integrated with Active Directory (AD) .
As per my understanding if realm is same for all the nodes in the machine in that case user logs in edge node gets kerberos ticket as kerberos is integrated with AD . When user will submit its job ticket is transerred to namenode and authetication will take place once authenticated namenode will use grant delegate token . with the help of delegate token in all other nodes job will continue to work .
But as in this case datanodes are in different realm though user gets delegate token when user logs in edge node but authentication will fail in data node as its realm is not correct . What is solution in this case ?
Many Kerberos implementations that existed before setting up an MIT KDC can be integrated using Cross-Realm Trust from MIT KDC to AD
The steps therein detail the steps here is a link to One Way Trust - MIT KDC to Active Directory
in HDP/ CDH that should work well too with detail about the auth_to_local
I have implemented many deployments successfully should you encounter a problem let me know.
@Shelton thanks for your reply ! this cross realm works when we want to setup cross realm between AD and MIT KDC server , but when your edge node is in different realm and datanodes are in different realm how will you setup corss realm ?
my problem is when AD users will login edge node and get kerberos ticket which will be communicated to namenode and namenode will gice delegate token to authenticate further , but as this case datanodes are in not in the same realm as edge node hence same delegate token won't work .
how do i setup cross realm between edge node and datanodes .
do i need to setup like following :
1) cross realm MIT KDC (edge node ) to AD .
2) cross realm MIT KDC (datanodes ) to AD.
I have got confused with cross realm ideas though link provided you MIT KDC to AD trust I do understand but I am not able to get solution when edge node and data nodes both are in different real .
Can you elaborate on your setup? Are you running HDP or CDH? How many distinct REALMS do you have please share after tokenizing your real REALM names?
@KuldeepK has a well documented it how to setup cross-realm trust between two MIT KDC this involved configuring the realm mapping editing your kr5.conf and capaths etc.
That's how the entry should be on the edge node and all hosts in the other cluster including the data nodes, first ready and try to understand the logic in the mapping then you can use the AD and the DN REALMS.
Let me know if you still need help after perusing that document