Support Questions

Find answers, ask questions, and share your expertise

kerberos High Availability

avatar
Explorer

I am planning to implement kerberos HA at this point we have one kdc server which is single poing of failure. Can anyone please guide me how to enable HA for kerberos.

11 REPLIES 11

avatar
Community Manager

Hello Azim,

 

If you are using MIT Kerberos, you would configure one or more slave KDCs.   See "Install the slave KDCs" under the MIT Kerberos Documentation:  https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html

 

You will need to run the kprop command in a cron to synchronize the master with the slave KDCs.

 

Update the /etc/krb5.conf file on your hosts to include the additional KDCs for your realm.  Example:

 

[realms]
    EXAMPLE.REALM = {
        kdc = kdc1.example.com
        kdc = kdc2.example.com
        kdc = kdc3.example.com:750
        admin_server = kdc1.example.com
        master_kdc = kdc1.example.com

    }

 

 

Kerberos does not support load balancing.  If a timeout occurs connecting to the first KDC in the list, the next KDC will be tried.



David Wilder, Community Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

Terms of Service

Community Guidelines

How to use the forum

avatar
Cloudera Employee

Hi Azim,

 

Are you using Cloudera Manager to manage the krb5.conf for the hosts in your cluster? If so, you can add a secondary KDC host with the following steps:

 


Step 1.) Within Cloudera Manager, under the Administration > Security > Configuration page, add the following to the "Advanced Configuration Snippet (Safety Valve) for the Default Realm in krb.conf":

 

kdc = $secondary_host
admin_server = $secondary_host

 

Step 2.) Click "Save Changes" at the top of the page.

 

Step 3.) Execute a STOP (not restart) of the cluster services.

 

Step 4.) From the Cloudera Manager dashboard under the Actions dropdown, select "Deploy Kerberos Configuration".

 

Step 5.) Restart cluster services.


 

If you are not using Cloudera Manager to manage the krb5.conf for your hosts, you will need to manually update the krb5.conf and add the "kdc" and "admin_server" for the secondary KDC under the "Default Realms" section.

 

If you have any questions about this process or continue to encounter difficulties, please let us know.

 

Thanks,

 

Katelynn

avatar
Explorer

Thanks Katelynn, yes we do use cloudera, so what i understand is this will enable secondary kdc server ? 

The host you mentioned will act as secondary kdc server? Or do I have to follow these steps after denloe steps as he mentioned above. 

$secondary_host

 

avatar
Cloudera Employee

Hi Azim,

 

If you use Cloudera Manager then you only need to follow the steps I provided. In my example replace all instances of the variable $secondary_host with the appropriate hostname. Please remember that you will need to redeploy the Kerberos configurations after saving the changes in order for them to take effect.

 

If you encounter any difficulties with this process please let us know.

avatar
Master Guru

It depends...

 

If you use Cloudera Manager to manage your krb5.conf (Manage krb5.conf through Cloudera Manager is checked in Administration --> Settings --> Kerberos)

 

If you are not using Cloudera Manager to mange krb5.conf (Manage krb5.conf through Cloudera Manager is not checked) then you need to edit the /etc/krb5.conf files manually outside of Cloudera Manager.

 

I just wanted to clarify since you could be using Cloudera Manager but not have Cloudera Manager manage krb5.conf.

avatar
Master Guru

SORRY!  My copy/paste got messed up... here is the response I intended:

 

It depends...

 

If you use Cloudera Manager to manage your krb5.conf (Manage krb5.conf through Cloudera Manager is checked in Administration --> Settings --> Kerberos) then make the additions as Katelynn recommended.

 

If you are not using Cloudera Manager to mange krb5.conf (Manage krb5.conf through Cloudera Manager is not checked) then you need to edit the /etc/krb5.conf files manually outside of Cloudera Manager.

 

I just wanted to clarify since you could be using Cloudera Manager but not have Cloudera Manager manage krb5.conf.

avatar
Explorer

Thanks for  the reply, we do not use cloudera manager to manager krb5.conf file. So does that mean I need to do this manually like denloe mentioned ?

avatar
Cloudera Employee

Hi Azim,

 

If you are not using Cloudera Manager to manage the krb5.conf then yes, you will need to manually update the krb5.conf on each host to include the secondary kdc and admin_server under the "[default realms]" section, as my colleagues denloe and bgooley have mentioned.

avatar
Explorer

Thanks,

is there a way I can migrate existing kerberos management from manual way to cloudera manager to manage the krb5.conf file, it will make our life so easier to failover if required.