if you use MIT kerberos server or Freeipa so 'kdc' it is bad workaround because you should make HA for kerberos using DNS as balancing for KDC servers. You need to switch on dns_lookup_kdc=true and it will discover any external realms so if that realm have a trust (for example two-ways) you can use direct connection to any external KDC to get TGT and then to ask TGS from your realm service or to get TGT in your realm and to connect external server with TGS for that service. Java (not Hadoop) doesn't support included configs but when you use execute authentication class the processing goes over sssd that use config to get KDC info. However if your Active Directory domain is second domain level but MIT has the third domain level you will look conflict for routing becase all of you internal realm request will go to AD. It can be solved by adding routing in krb5.conf to [domain_realm] section like: [domain_realm] mit.domain.local = MIT.DOMAIN.LOCAL .mit.domain.local = MIT.DOMAIN.LOCAL host.mit.domain.local = MIT.DOMAIN.LOCAL domain.local = AD.DOMAIN.LOCAL .domain.local = AD.DOMAIN.LOCAL
... View more
