Add the AD domain as a realm to the krb5.conf on the Hadoop
cluster hosts. Optionally configure encryption types and UDP preferences.
Open the
krb5.conffile with a text editor and make the following changes:To
libdefaults, add the following properties:Sets the Hadoop realm as default:
[libdefaults] default_domain = $hadoop.realm
Set the encryption type:
[libdefaults] default_tkt_enctypes = $encryption_types default_tgs_enctypes = $encryption_types permitted_enctypes = $encryption_types
where the
$encryption_typesmatch the type supported by your environment. For example:default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-md5 des-cbc-crc default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-md5 des-cbc-crc permitted_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
If TCP is open on the KDC and AD Server:
[libdefaults] udp_preference_limit = 1
Add a realm for the AD domain:
[realms] $AD.DOMAIN = { kdc = $AD-host-FQDN admin_server = $AD-host-FQDN default_domain = $AD-host-FQDN }Save the
krb5.confthe changes to all Hadoop Cluster hosts.
Add the trust principal for the AD domain to the Hadoop MIT KDC:
kadmin kadmin: addprinc krbtgt/$hadoop.realm@$AD.domain
This command will prompt you for the trust password, use the same password as the earlier step.
![[Note]](../common/images/admon/note.png)
Note If the encryption type was defined, then use the following command to configure the AD principal:
kadmin: addprinc -e "$encryption_type" krbtgt/$hadoop.realm@$AD.domain
