Look at the _kerberos._tcp.dc._msdcs.AD.COM SRV records in your AD.COM zone. That’s how Windows clients locate a KDC within the domain. You may be able to set up something similar for the Hadoop.com zone pointing to node1.hadoop.com
From: [email protected] [mailto:[email protected]] On Behalf Of Christopher Bodnar Sent: Wednesday, August 19, 2015 9:50 AM To: [email protected] Subject: [NTSysADM] Kerberos question We are working on setting up Hadoop in our environment. Everything is working fine. I just have some questions around Kerberos authentication, hoping someone on the list can shed some light on this for me. For the various Hadoop components there are separate authentication points. Right now I’m only interested in the HDFS component. On the Linux side, they have setup a Kerberos realm. Then a cross-domain trust is setup between the Linux realm and AD. All that works fine, no issues. What I wanted clarification on is specifically this: ksetup /addkdc HADOOP.COM node1.hadoop.com netdom trust HADOOP.COM /Domain: AD.COM /add /realm /passwordt:HortonworkS4554 ksetup /SetEncTypeAttr HADOOP.COM DES-CBC-CRC DES-CBC-MD5 RC4-HMAC-MD5 AES128-CTS-HMAC-SHA1-96 AES256-CTS-HMAC-SHA1-96 Specifically the necessity for the first command. I know what it does, it creates a registry value on the DC you run this on (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\Kerberos\Domains), that points you to a KDC for the realm. What I’m not clear on is why this is necessary. My guess is that there is no other mechanism of discovery for this, since it’s Kerberos and not DNS. If that is the case, I’m surprised there isn’t a DNS record that could be created and used for this discovery purpose. Thanks, Christopher Bodnar Enterprise Architect II, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected]<mailto:> [cid:[email protected]] The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> ________________________________ ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
