Set up One-Way Trust with Active Directory
How to set up one-way trust with AD when setting up Kerberos for non-Ambari clusters.
Note | |
---|---|
Hortonworks recommends setting up one-way trust after fully configuring and testing your Kerberized Hadoop Cluster. |
-
Configure Kerberos Hadoop Realm on the AD DC:
Configure the Hadoop realm on the AD DC server and set up the one-way trust.
-
Add the Hadoop Kerberos realm and KDC host to the DC:
ksetup /addkdc $hadoop.realm $KDC-host
. -
Establish one-way trust between the AD domain and the Hadoop realm:
netdom trust $hadoop.realm /Domain:$AD.domain /add /realm /passwordt:$trust_password
. -
(Optional) If Windows clients within the AD domain need to access Hadoop
Services, and the domain does not have a search route to find the services in
Hadoop realm, run the following command to create a hostmap for Hadoop service
host:
ksetup /addhosttorealmmap $hadoop-service-host $hadoop.realm
.NoteRun the above for each $hadoop-host that provides services that need to be accessed by Windows clients. For example, Oozie host, WebHCat host, etc.
-
(Optional) Define the encryption type:
ksetup /SetEncTypeAttr $hadoop.realm $encryption_type
.Set encryption types based on your security requirements. Mismatched encryption types cause problems.
NoteRun ksetup /GetEncTypeAttr $krb_realm to list the available encryption types. Verify that the encryption type is configured for the Hadoop realm in the krb5.conf.
-
Add the Hadoop Kerberos realm and KDC host to the DC:
-
Configure the AD Domain on the KDC and Hadoop cluster hosts:
Add the AD domain as a realm to the krb5.conf on the Hadoop cluster hosts. Optionally configure encryption types and UDP preferences.
-
Open the krb5.conf file with a text editor and make the following changes:
- To libdefaults, add the following properties.
- Set the Hadoop realm as
default:
[libdefaults] default_domain = $hadoop.realm
- Set the encryption
type:
[libdefaults] default_tkt_enctypes = $encryption_types default_tgs_enctypes = $encryption_types permitted_enctypes = $encryption_types
where the $encryption_types match the type supported by your environment.
For example:
default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-md5 des-cbc-crc default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des-cbc-md5 des-cbc-crc permitted_enctypes = aes256-cts aes128-cts rc4-hmac arcfour-hmac-md5 des- cbc-md5 des-cbc-crc
- If TCP is open on the KDC and AD
Server:
[libdefaults] udp_preference_limit = 1
- Set the Hadoop realm as
default:
- Add a realm for the AD
domain:
[realms] $AD.DOMAIN = { kdc = $AD-host-FQDN admin_server = $AD-host-FQDN default_domain = $AD-host-FQDN }
- Save the krb5.conf changes to all Hadoop Cluster hosts.
- To libdefaults, add the following properties.
-
Add the trust principal for the AD domain to the Hadoop MIT KDC:
kadmin kadmin:addprinc krbtgt/$hadoop.realm@$AD.domain
This command will prompt you for the trust password. Use the same password as the earlier step.
NoteIf the encryption type was defined, then use the following command to configure the AD principal:kadmin:addprinc -e "$encryption_type"krbtgt/$hadoop. realm@$AD.domain
When defining encryption, be sure to also enter the encryption type (e.g., 'normal')
-
Open the krb5.conf file with a text editor and make the following changes: