Configure the Hadoop realm on the AD DC server and set up the one-way trust.
Add the Hadoop Kerberos realm and KDC host to the DC:
ksetup /addkdc $hadoop.realm $KDC-host
Establish one-way trust between the AD domain and the Hadoop realm:
netdom trust $hadoop.realm /Domain:$AD.domain /add /realm /passwordt:$trust_password
(Optional) If Windows clients within the AD domain need to access Hadoop Services, and the domain does not have a search route to find the services in Hadoop realm, run the following command to create a hostmap for Hadoop service host:
ksetup /addhosttorealmmap $hadoop-service-host $hadoop.realm
![[Note]](../common/images/admon/note.png)
Note Run the above for each
$hadoop-hostthat provides services that need to be accessed by Windows clients. For example, Oozie host, WebHCat host, etc.(Optional) define the encryption type:
ksetup /SetEncTypeAttr $hadoop.realm $encryption_type
Set encryption types based on your security requirements. Mismatching encryption types causes problems.
Note Run
ksetup /GetEncTypeAttrto list the available encryption types. Verify that the encryption type is configured for the Hadoop realm in the$krb_realmkrb5.conf.
