Configure the AD Domain on the KDC and Hadoop Cluster Hosts
Add the AD domain as a realm to the krb5.conf on the Hadoop cluster hosts. Optionally configure encryption types and UDP preferences.
Open the krb5.conf file with a text editor and make the following changes:
To libdefaults, add the following properties.
Set the Hadoop realm as default:
[libdefaults] default_domain = $hadoop.realm
Set the encryption type:
[libdefaults] default_tkt_enctypes = $encryption_types default_tgs_enctypes = $encryption_types permitted_enctypes = $encryption_types
where the $encryption_types match the type supported by your environment.
For example:
default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-md5 des-cbc-crc default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-md5 des-cbc-crc permitted_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des- cbc-md5 des-cbc-crc
If TCP is open on the KDC and AD Server:
[libdefaults] udp_preference_limit = 1
Add a realm for the AD domain:
[realms] $AD.DOMAIN = { kdc = $AD-host-FQDN admin_server = $AD-host-FQDN default_domain = $AD-host-FQDN }
Save the krb5.conf changes to all Hadoop Cluster hosts.
Add the trust principal for the AD domain to the Hadoop MIT KDC:
kadmin kadmin:addprinc krbtgt/$hadoop.realm@$AD.domain
This command will prompt you for the trust password. Use the same password as the earlier step.
Note If the encryption type was defined, then use the following command to configure the AD principal:
kadmin:addprinc -e "$encryption_type"krbtgt/$hadoop. realm@$AD.domain
When defining encryption, be sure to also enter the encryption type (e.g., 'normal')