If the content of the edge node resolv.conf file points to the
FreeIPA (nameserver <FreeIPA IP>), or the upstream default nameserver
has a conditional forwarder set up to forward the environment’s domain resolution requests
to FreeIPA, then only the following steps are required.
Verify that inbound port 88 (both TCP and UDP) is open in
the FreeIPA security group, firewall, and NSG for the edge node IP Address or the CIDR
range.
-
Install the unbound package. SSH into the external edge node as the root user
and install the unbound package.
-
Test the DNS lookup in the external edge node with the dig
and nslookup commands.
# nslookup <IPA FQDN>
# nslookup <Datalake node FQDN>
# nslookup <CDW or CML or any other Data Service Endpoint>
-
Update the FreeIPA FQDN in the /etc/krb5.conf file.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
udp_preference_limit = 1
rdns = false
max_retries = 1
spake_preauth_groups = edwards25519
default_realm = TESTENV.DEMO.CLOUDERA.SITE
default_ccache_name = /tmp/krb5cc_%{uid}
[realms]
TESTENV.DEMO.CLOUDERA.SITE = {
kdc = ipaserver0.testenv.demo.cloudera.site
kdc = ipaserver1.testenv.demo.cloudera.site
admin_server = ipaserver0.testenv.demo.cloudera.site
admin_server = ipaserver1.testenv.demo.cloudera.site
}
[domain_realm]
.testenv.demo.cloudera.site = TESTENV.DEMO.CLOUDERA.SITE
testenv.demo.cloudera.site = TESTENV.DEMO.CLOUDERA.SITE
-
Try to obtain a Kerberos token for a CDP user.
Verify the token with the # klist command.
