Michael and Alex, thanks for the replies. The setup is indeed what Michael suggested, that the cluster KDC trusts the enterprise AD (which serves as a KDC also). We did a lot more digging around and testing, and found that the problem was largely due to various flaws in our cluster kerb5.conf files not matching exactly. Unfortunately we made so many attempts that I can’t now recall exactly what we did to bring it all into line.
john From: Alexander Alten-Lorenz [mailto:[email protected]] Sent: Wednesday, March 25, 2015 3:28 AM To: [email protected] Subject: Re: Trusted-realm vs default-realm kerberos issue Do you have mapping rules, which tells Hadoop that the trusted realm is allowed to login? http://mapredit.blogspot.de/2015/02/hadoop-and-trusted-mitv5-kerberos-with.html BR, Alex On 24 Mar 2015, at 18:21, Michael Segel <[email protected]<mailto:[email protected]>> wrote: So… If I understand, you’re saying you have a one way trust set up so that the cluster’s AD trusts the Enterprise AD? And by AD you really mean KDC? On Mar 17, 2015, at 2:22 PM, John Lilley <[email protected]<mailto:[email protected]>> wrote: AD The opinions expressed here are mine, while they may reflect a cognitive thought, that is purely accidental. Use at your own risk. Michael Segel michael_segel (AT) hotmail.com<http://hotmail.com/>
