Cloudera Docs

Using FreeIPA FQDNs in Krb5.conf file

Use this method when DNS resolution for the environment's domain needs to go through FreeIPA from the edge node.

Verify that inbound port 88 (both TCP and UDP) is open in the FreeIPA security group, firewall, and NSG for the edge node IP Address or the CIDR range.
  1. Install the unbound package. SSH into the external edge node as the root user and install the unbound package. 
    yum install unbound -y
  2. Create a backup of the /etc/unbound/unbound.conf file and add the following entries: 
    interface: 127.0.0.1
access-control: 127.0.0.0/8 allow
  3. Enable and start the unbound service. 
    systemctl enable --now unbound
systemctl start unbound
  4. Copy the contents of the /etc/unbound/conf.d/60-domain-dns.conf file from one of the datalake nodes in your target environment.
  5. Create the /etc/unbound/conf.d/60-domain-dns.conf file in the edge node with the contents copied from the previous step. 
    forward-zone:
  name: "testenv.demo.cloudera.site"
  forward-addr: 10.0.191.135
  forward-addr: 10.0.191.166

forward-zone:
  name: "10.in-addr.arpa."
  forward-addr: 10.0.191.135
  forward-addr: 10.0.191.166
  6. Add a rule in the Network Security group attached to the FreeIPA node to allow inbound traffic for port 53 DNS (both TCP and UDP) so external edge nodes can connect for DNS queries.
  7. Create the file 99-default.conf in /etc/unbound/conf.d with the default DNS Server (specified in the /etc/resolv.conf file) IP address of the edge node. 
    forward-zone:
  name: "."
  forward-addr: 10.250.0.10
forward-zone:
  name: "in-addr.arpa."
  forward-addr: 10.250.0.10
  8. Restart the unbound service. 
    systemctl restart unbound
  9. Update the /etc/resolv.conf file with 127.0.0.1 as nameserver. 
    nameserver 127.0.0.1
  10. Test the DNS lookup in the external edge node with the dig and nslookup commands. 
    # nslookup <IPA FQDN>
# nslookup <Datalake node FQDN>
# nslookup <CDW or CML or any other Data Service Endpoint>
  11. Update the FreeIPA FQDN in the /etc/krb5.conf file. 
    includedir /etc/krb5.conf.d/

[logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    udp_preference_limit = 1
    rdns = false
    max_retries = 1
    spake_preauth_groups = edwards25519
    default_realm = TESTENV.DEMO.CLOUDERA.SITE
    default_ccache_name = /tmp/krb5cc_%{uid}

[realms]
 TESTENV.DEMO.CLOUDERA.SITE = {
     kdc = ipaserver0.testenv.demo.cloudera.site
     kdc = ipaserver1.testenv.demo.cloudera.site
     admin_server = ipaserver0.testenv.demo.cloudera.site
     admin_server = ipaserver1.testenv.demo.cloudera.site
 }

[domain_realm]
 .stestenv.demo.cloudera.site = TESTENV.DEMO.CLOUDERA.SITE
 testenv.demo.cloudera.site = TESTENV.DEMO.CLOUDERA.SITE
  12. Try to obtain a Kerberos token for a CDP user. 
    # kinit <cdp-user>
Verify the token with the # klist command.