Security Reference
Also available as:
loading table of contents...

Set up One-Way Trust with Active Directory

How to set up one-way trust with AD when setting up Kerberos for non-Ambari clusters.

In environments where users from Active Directory (AD) need to access Hadoop Services, set up one-way trust between Hadoop Kerberos realm and the AD (Active Directory) domain.

Hortonworks recommends setting up one-way trust after fully configuring and testing your Kerberized Hadoop Cluster.

  1. Configure Kerberos Hadoop Realm on the AD DC:
    Configure the Hadoop realm on the AD DC server and set up the one-way trust.
    1. Add the Hadoop Kerberos realm and KDC host to the DC: ksetup /addkdc $hadoop.realm $KDC-host.
    2. Establish one-way trust between the AD domain and the Hadoop realm: netdom trust $hadoop.realm /Domain:$AD.domain /add /realm /passwordt:$trust_password.
    3. (Optional) If Windows clients within the AD domain need to access Hadoop Services, and the domain does not have a search route to find the services in Hadoop realm, run the following command to create a hostmap for Hadoop service host: ksetup /addhosttorealmmap $hadoop-service-host $hadoop.realm.

      Run the above for each $hadoop-host that provides services that need to be accessed by Windows clients. For example, Oozie host, WebHCat host, etc.

    4. (Optional) Define the encryption type: ksetup /SetEncTypeAttr $hadoop.realm $encryption_type.

      Set encryption types based on your security requirements. Mismatched encryption types cause problems.


      Run ksetup /GetEncTypeAttr $krb_realm to list the available encryption types. Verify that the encryption type is configured for the Hadoop realm in the krb5.conf.

  2. Configure the AD Domain on the KDC and Hadoop cluster hosts:
    Add the AD domain as a realm to the krb5.conf on the Hadoop cluster hosts. Optionally configure encryption types and UDP preferences.
    1. Open the krb5.conf file with a text editor and make the following changes:
      1. To libdefaults, add the following properties.
        • Set the Hadoop realm as default:
          default_domain = $hadoop.realm
        • Set the encryption type:
          default_tkt_enctypes = $encryption_types 
          default_tgs_enctypes = $encryption_types
          permitted_enctypes = $encryption_types

          where the $encryption_types match the type supported by your environment.

          For example:

          default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
          default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-md5 des-cbc-crc
          permitted_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des- cbc-md5 des-cbc-crc
        • If TCP is open on the KDC and AD Server:
          udp_preference_limit = 1
      2. Add a realm for the AD domain:
        $AD.DOMAIN = {
        kdc = $AD-host-FQDN 
        admin_server = $AD-host-FQDN 
        default_domain = $AD-host-FQDN
      3. Save the krb5.conf changes to all Hadoop Cluster hosts.
    2. Add the trust principal for the AD domain to the Hadoop MIT KDC:
      kadmin:addprinc krbtgt/$hadoop.realm@$AD.domain

      This command will prompt you for the trust password. Use the same password as the earlier step.

      If the encryption type was defined, then use the following command to configure the AD principal:
      kadmin:addprinc -e "$encryption_type"krbtgt/$hadoop. realm@$AD.domain

      When defining encryption, be sure to also enter the encryption type (e.g., 'normal')