Support Questions
Find answers, ask questions, and share your expertise

how does kerberos authentication work when edge node and data nodes both are in different real ?


I have edge node in different realm and data node is in different real , kerberos is integrated with Active Directory (AD) .

As per my understanding  if realm is same for all the nodes in the machine in that case user logs in edge node gets kerberos ticket as kerberos is integrated with AD . When user will submit its job ticket is transerred to namenode and authetication will take place once authenticated namenode will use grant delegate token . with the help of delegate token in all other nodes job will continue to work .

But as  in this case datanodes are in different realm though user gets delegate token when user logs in edge node but authentication will fail in data node as its realm is not correct . What is solution in this case ?




Many Kerberos implementations that existed before setting up an MIT KDC can be integrated  using  Cross-Realm Trust from MIT KDC to AD 

The steps therein detail the steps  here is a link to One Way Trust - MIT KDC to Active Directory 

in HDP/ CDH that should work well too with  detail about the auth_to_local

I have implemented many deployments successfully should you encounter a problem let me know.


Happy hadooping



@Shelton  thanks for your reply ! this cross realm works when we want to setup cross realm between AD and MIT KDC server , but when your edge node is in different realm and datanodes are in different realm how will you setup corss realm ?

my problem is when AD users will login edge node and  get kerberos ticket which will be communicated to namenode and namenode will gice delegate token to authenticate further , but as this case datanodes are in not in the same realm as edge node hence same delegate token won't work . 

how do i setup cross realm between edge node and datanodes .

do i need to setup like following :

1) cross realm MIT KDC (edge node ) to AD .

2) cross realm MIT KDC (datanodes ) to AD.


I have got confused with cross realm ideas though link provided you MIT KDC to AD trust I do understand but I am not able to get solution when edge node and data nodes both are in different real .





Can you elaborate on your setup? Are you running HDP or CDH? How many distinct REALMS do you have please share after tokenizing your real REALM names?

@KuldeepK  has a  well documented it  how to setup cross-realm trust between two MIT KDC this involved configuring the realm mapping editing your kr5.conf and capaths etc.


That's how the entry should be on the edge node and all hosts in the other cluster including the data nodes, first ready and try to understand the logic in the mapping then you can use the AD  and the DN REALMS.

 Let me know if you still need help after perusing that document






Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.