We're using a local KDC and have created service principals for the Hadoop service accounts (yarn, hdfs, mapred, etc..) The services startup and automatically generate their TGT's to access the Hadoop services. Regular users authenticate against Active Directory using a cross-realm one way trust that has been setup.When those users login to Linux, they get a TGT from the local KDC with their AD credentials (e.g. bk835@ACME.ORG) If you have multiple Hadoop clusters, you may run into collisions with the same Hadoop usernames existing in AD (e.g. yarn, hdfs, mapped, etc...). Because of this, I've convinced the customer to use separate KDC's for each Hadoop realm. I've got three clusters setup. Setting up a KDC on Linux is fairly straightforward and I can control it rather than depending on the AD administrators to do something for me with respect to issues with service principals or keytab files.
... View more
