4.2. Configure the AD Domain on the KDC and Hadoop Cluster Hosts

Add the AD domain as a realm to the krb5.conf on the Hadoop cluster hosts. Optionally configure encryption types and UDP preferences.

  1. Open the krb5.conf file with a text editor and make the following changes:

    • To libdefaults, add the following properties.

      • Set the Hadoop realm as default:

        default_domain = $hadoop.realm
      • Set the encryption type:

        default_tkt_enctypes = $encryption_types 
        default_tgs_enctypes = $encryption_types
        permitted_enctypes = $encryption_types

        where the $encryption_types match the type supported by your environment.

        For example:

        default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
        default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
        permitted_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des- cbc-md5 des-cbc-crc
      • If TCP is open on the KDC and AD Server:

        udp_preference_limit = 1
    • Add a realm for the AD domain:

      $AD.DOMAIN = {
      kdc = $AD-host-FQDN 
      admin_server = $AD-host-FQDN 
      default_domain = $AD-host-FQDN
    • Save the krb5.conf changes to all Hadoop Cluster hosts.

  2. Add the trust principal for the AD domain to the Hadoop MIT KDC:

    kadmin:addprinc krbtgt/$hadoop.realm@$AD.domain

    This command will prompt you for the trust password. Use the same password as the earlier step.


    If the encryption type was defined, then use the following command to configure the AD principal:kadmin:addprinc -e "$encryption_type"krbtgt/$hadoop. realm@$AD.domain

loading table of contents...