Hadoop Security Guide
Also available as:
PDF
loading table of contents...

Configure the AD Domain on the KDC and Hadoop Cluster Hosts

Add the AD domain as a realm to the krb5.conf on the Hadoop cluster hosts. Optionally configure encryption types and UDP preferences.

  1. Open the krb5.conf file with a text editor and make the following changes:

    • To libdefaults, add the following properties.

      • Set the Hadoop realm as default:

        [libdefaults]
        default_domain = $hadoop.realm
      • Set the encryption type:

        [libdefaults]
        default_tkt_enctypes = $encryption_types 
        default_tgs_enctypes = $encryption_types
        permitted_enctypes = $encryption_types

        where the $encryption_types match the type supported by your environment.

        For example:

        default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
        default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
        permitted_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des- cbc-md5 des-cbc-crc
      • If TCP is open on the KDC and AD Server:

        [libdefaults]
        udp_preference_limit = 1
    • Add a realm for the AD domain:

      [realms]
      $AD.DOMAIN = {
      kdc = $AD-host-FQDN 
      admin_server = $AD-host-FQDN 
      default_domain = $AD-host-FQDN
      }
    • Save the krb5.conf changes to all Hadoop Cluster hosts.

  2. Add the trust principal for the AD domain to the Hadoop MIT KDC:

    kadmin
    kadmin:addprinc krbtgt/$hadoop.realm@$AD.domain

    This command will prompt you for the trust password. Use the same password as the earlier step.

    [Note]Note

    If the encryption type was defined, then use the following command to configure the AD principal:

    kadmin:addprinc -e "$encryption_type"krbtgt/$hadoop. realm@$AD.domain 

    When defining encryption, be sure to also enter the encryption type (e.g., 'normal')