Prepare Kerberos authentication-enabled clusters for replication

Before you create replication policies between clusters that use Kerberos authentication, you must prepare the source and destination clusters.

  1. On the hosts in the destination cluster, ensure that the krb5.conf file (typically located at /etc/kbr5.conf) on each host has the following information:
    1. The KDC information for the source cluster's Kerberos realm. For example:
      [realms]
       SRC.EXAMPLE.COM = {
        kdc = kdc01.src.example.com:88
        admin_server = kdc01.example.com:749
        default_domain = src.example.com
       }
       DST.EXAMPLE.COM = {
        kdc = kdc01.dst.example.com:88
        admin_server = kdc01.dst.example.com:749
        default_domain = dst.example.com
       }
    2. Realm mapping for the source cluster domain. You configure these mappings in the [domain_realm] section.
      For example:
      [domain_realm]
       .dst.example.com = DST.EXAMPLE.COM
       dst.example.com = DST.EXAMPLE.COM
       .src.example.com = SRC.EXAMPLE.COM
       src.example.com = SRC.EXAMPLE.COM
  2. On the destination cluster, perform the following steps to add the realm of the source cluster to the Trusted Kerberos Realms configuration property:
    1. Go to the Cloudera Manager > HDFS service > Configuration tab.
    2. Search for the Trusted Kerberos Realms property, and enter the source cluster realm.
    3. Click Save Changes.
  3. Go to the Administration > Settings page.
  4. Search for the Domain Name(s) field, and enter any domain or host names you want to map to the destination cluster KDC. Add as many entries as you need. The entries in this property are used to generate the domain_realm section in krb5.conf file.
  5. If domain_realm is configured in the Advanced Configuration Snippet (Safety Valve) for remaining krb5.conf property, remove the entries for it.
  6. Click Save Changes.