Configure the AD Domain on the KDC and Hadoop Cluster Hosts
Add the AD domain as a realm to the krb5.conf on the Hadoop cluster hosts. Optionally configure encryption types and UDP preferences.
Open the krb5.conf file with a text editor and make the following changes:
To libdefaults, add the following properties.
Set the Hadoop realm as default:
[libdefaults] default_domain = $hadoop.realm
Set the encryption type:
[libdefaults] default_tkt_enctypes = $encryption_types default_tgs_enctypes = $encryption_types permitted_enctypes = $encryption_types
where the $encryption_types match the type supported by your environment.
For example:
default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-md5 des-cbc-crc default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-md5 des-cbc-crc permitted_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des- cbc-md5 des-cbc-crc
If TCP is open on the KDC and AD Server:
[libdefaults] udp_preference_limit = 1
Add a realm for the AD domain:
[realms] $AD.DOMAIN = { kdc = $AD-host-FQDN admin_server = $AD-host-FQDN default_domain = $AD-host-FQDN }Save the krb5.conf changes to all Hadoop Cluster hosts.
Add the trust principal for the AD domain to the Hadoop MIT KDC:
kadmin kadmin:addprinc krbtgt/$hadoop.realm@$AD.domain
This command will prompt you for the trust password. Use the same password as the earlier step.
![[Note]](../common/images/admon/note.png)
Note If the encryption type was defined, then use the following command to configure the AD principal:
kadmin:addprinc -e "$encryption_type"krbtgt/$hadoop. realm@$AD.domain
When defining encryption, be sure to also enter the encryption type (e.g., 'normal')