Use an Existing Active Directory
To use an existing Active Directory domain for the cluster with Automated Kerberos Setup, you must prepare the following:
Ambari Server and cluster hosts have network access to, and be able to resolve the DNS names of, the Domain Controllers.
Active Directory secure LDAP (LDAPS) connectivity has been configured.
Active Directory User container for principals has been created and is on-hand. For example, "OU=Hadoop,OU=People,dc=apache,dc=org"
Note The Active Directory user name for the metron account must be the same as the Kerberos user name.
Active Directory administrative credentials with delegated control of “Create, delete, and manage user accounts” on the previously mentioned User container are on-hand.
Note | |
---|---|
You will be prompted to enter the KDC Admin Account credentials during the Kerberos setup so that Ambari can contact the KDC and perform the necessary principal and keytab generation. By default, Ambari will not retain the KDC credentials unless you have configured Ambari for encrypted passwords. |
Note | |
---|---|
If Centrify is installed and being used on any of the servers in the cluster, it is critical that you refer to Centrify's integration guide before attempting to enable Kerberos Security on your cluster. The documentation can be found in the Centrify Server Suite documentation library, with a direct link to the Hortonworks specific PDF here. |