Hi Mauro Am 13.04.2016 um 22:22 schrieb Todd Grayson: > netdom trust and ksetup examples that are correct for AD / MIT kerberos > http://blog.godatadriven.com/cross-realm-trust-kerberos.html
This Blog describes the procedure quite well, here some additional Details: 1) > [realms] > WIN_GDD.NL = { > kdc = host1.mywindomain.nl:88 > admin_server = host1.mywindomain:749 > } > GDD.NL = { > kdc = host1.mydomain.nl:88 > admin_server = host1.mydomain.nl:749 > default_domain = mydomain.nl > } => In this example I would not include names for the AD DC/KRB server but use DNS to resilve them: > [realms] > WIN_GDD.NL = { > } In AD/Windows the clients the DC servers are never locally configured but looked up in DNS for every operation (cached using ttl). So the AD admins are often not aware they have to deploy changes in the infrastructure to the clients. 2) The local settings for the client (knowing the KRB Realm for HADOOP, host-to-real mappings) can be done via a GPO, so you don't have to configure every client with > ksetup /addkdc REALM [server] > ksetup /addHostToRealmMap host REALM The settings can be fount at Policies/Administrative Templates/System/Kerberos -> "Define interoperable Kerberos V5 realm settings" Value Name = REALM Value = <f>RealmFlags</f><k>list;of;KDCs</k> -> "Define host name-to-Kerberos realm mappings" Value Name = REALM Value = list;of;hdoop:hosts;to;map;to;the:realm I never needed the realm flags, but one can took that up at > https://technet.microsoft.com/en-us/library/hh240195.aspx?f=255&MSPPError=-2147217396 The Values can be empty if the DNS holds SRV records for the KDCs if the Hadoop realm and TXT records for the Host-To-Realm settings, see e.g: > http://web.mit.edu/kerberos/krb5-1.13/doc/admin/realm_config.html The "Value Name" (REALM) will still be needed for the client to know that there ist something to look for in DNS! Robert. -- Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047 86135 Augsburg .................................. Fax. (0821) 598-2028 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos