Prepare clusters with Kerberos authentication for replication

Before you create replication policies between clusters that use Kerberos authentication to replicate HDFS, Hive, or Impala data, you must prepare the source and destination clusters.

  1. On the hosts in the destination cluster, ensure that the krb5.conf file (typically located at /etc/kbr5.conf) on each host has the following information:
    • The KDC information for the source cluster's Kerberos realm. For example:
       SRC.EXAMPLE.COM = {
        kdc =
        admin_server =
        default_domain =
       DST.EXAMPLE.COM = {
        kdc =
        admin_server =
        default_domain =
    • Realm mapping for the source cluster domain. You configure these mappings in the [domain_realm] section. For example:
  2. On the destination cluster, use Cloudera Manager to add the realm of the source cluster to the Trusted Kerberos Realms configuration property:
    1. Go to the HDFS Service.
    2. Click the Configuration tab.
    3. In the search field type Trusted Kerberos to find the Trusted Kerberos Realms property.
    4. Click the plus sign icon, and then enter the source cluster realm.
    5. Enter a Reason for change, and then click Save Changes to commit the changes.
  3. Go to Administration > Settings.
  4. In the search field, type domain name.
  5. In the Domain Name(s) field, enter any domain or host names you want to map to the destination cluster KDC. Use the plus sign icon to add as many entries as you need. The entries in this property are used to generate the domain_realm section in krb5.conf.
  6. If domain_realm is configured in the Advanced Configuration Snippet (Safety Valve) for remaining krb5.conf, remove the entries for it.
  7. Enter a Reason for change, and then click Save Changes to commit the changes.