The windows desktop user has its kerberos credentials from the AD KDC by nature of logging into the AD domain (REALM) for their desktop.
The ksetup command on the windows desktop (/addkdc and /addhosttorealmmap) allows you to describe the MIT kerberos realm, and how to map fqdn hostnames / domain names to a kerberos realm for that windows host (I believe group policy can be used to configure at larger scale). This is beyond the basic trust you have already established from the domain controller (and I assume is working, can you do a hadoop fs -ls as an AD user...). The kerberos credentials get applied in CLI integration with the cluster, the command line tools are kerberos authentication aware. Enabling kerberos within hadoop changes the mode of operation for the cluster to secure/isolation mode, and all users must be represented with user/group accounts that will be scheduling running jobs. Generally speaking for windows desktop users getting SPNEGO (kerberos over HTTP, "Secure web authentication") and ODBC/JDBC connections working to the cluster becomes the bulk of activity... The ksetup docs for /addkdc and /addhosttorealmmap are going to be the most critical for you... https://technet.microsoft.com/en-us/library/hh240190.aspx On Fri, Jul 24, 2015 at 8:22 AM, Ben Kim <benkimkim...@gmail.com> wrote: > Hi > Currently I have hadoop system setup with MIT kerberos and built trust > between windiws AD server. > > How would a AD user logged in to windows PC sso authenticate with an > application that works with MIT kerberos? > > Best regards > Ben > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Todd Grayson Customer Operations Engineering ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos