Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Plain View
Hadoop, mail # user - Problem setting up Hadoop security with active directory using one-way cross-realm configuration


+
Ivan Frain 2012-07-25, 09:29
+
Mapred Learn 2012-07-25, 14:59
+
Ivan Frain 2012-07-25, 15:27
+
Mapred Learn 2012-07-25, 16:11
Copy link to this message
-
Re: Problem setting up Hadoop security with active directory using one-way cross-realm configuration
Ivan Frain 2012-07-25, 16:25
In AD:
- I have created a one way incoming trust using the GUI (I guess it is the
equivalent of the "netdom trust").
- ksetup /addkdc HADOOP.REALM mitkdc.hadoop.realm
- ksetup /SetEncTypeAttr HADOOP.REALM RC4-HMAC-MD5

What do you think ?
2012/7/25 Mapred Learn <[EMAIL PROTECTED]>

> Krb5 looks good.
> Can you also share commands you ran in your Windows AD ?
>
> Sent from my iPhone
>
> On Jul 25, 2012, at 8:27 AM, Ivan Frain <[EMAIL PROTECTED]> wrote:
>
> > Thanks for your answer.
> >
> > I think I already did what you propose. Some comments in the remaining.
> >
> >
> > 2012/7/25 Mapred Learn <[EMAIL PROTECTED]>
> >
> >> You need to set up a local realm on your KDC ( linux) and run commands
> on
> >> windows AD to add this realm as a trust realm on your AD realm.
> >>
> >
> > I set up a KDC on the linux machine  and configure a one-way incoming
> trust
> > on AD to be trusted by the local KDC. I set the enc type as well on AD. I
> > also create the appropriate remote TGT on the local KDC:
> > krbtgt/[EMAIL PROTECTED]M with the same encoding type
> >
> >
> >>
> >> After this you need to modify your /etc/krb5.conf to include this local
> >> realm as trust realm to your AD realm.
> >>
> >
> > Here is the /etc/krb5.conf located in my local kdc on mitkdc.hadoop.realm
> > machine. May be something is wrong there:
> >
> > [libdefaults]
> >    default_realm = HADOOP.REALM
> > default_tkt_enctypes = arcfour-hmac-md5
> > default_tgs_enctypes = arcfour-hmac-md5
> >
> > [realms]
> >    HADOOP.REALM = {
> >      kdc = mitkdc.hadoop.realm
> >        admin_server = mitkdc.hadoop.realm
> > default_domain = hadoop.realm
> >    }
> > DOMAIN.REALM = {
> > kdc = ad.domain.realm
> > admin_server = ad.domain.realm
> > default_domain = domain.realm
> > }
> >
> > [domain_realm]
> > .hadoop.realm = HADOOP.REALM
> > hadoop.realm = HADOOP.REALM
> > .domain.realm = DOMAIN.REALM
> > domain.realm = DOMAIN.REALM
> >
> >
> >
> >>
> >> And then you should be all set.
> >>
> >>
> > I was hoping so but it is not ... yet ... the case
> >
> >
> >
> >> Sent from my iPhone
> >>
> >> On Jul 25, 2012, at 2:29 AM, Ivan Frain <[EMAIL PROTECTED]> wrote:
> >>
> >>> *Hi all,*
> >>> *
> >>> *
> >>> *I am trying to setup a one-way cross realm trust between a MIT KDC and
> >> an
> >>> active directory server and up to now I did not success.*
> >>> *I hope someone in this list will be able to help me.*
> >>> *
> >>> *
> >>> *My config is as follows:*
> >>> *  - hadoop version: 0.23.1 with security enable (kerberos).*
> >>> *  - hadoop realm (mitkdc): HADOOP.REALM*
> >>> *  - 1 linux node (mitkdc.hadoop.realm - 192.168.198.254) running :
> hdfs
> >>> namenode, hdfs datanode, mit kdc*
> >>> *  - 1 windows node (ad.domain.realm - 192.168.198.253) running: active
> >>> directory 2003*
> >>> *  - AD realm: DOMAIN.REALM*
> >>> *
> >>> *
> >>> *Everything works well with kerberos enabled if I only use the linux
> >>> machine with users having principal in the mitkdc: [EMAIL PROTECTED]M*
> >>> *
> >>> *
> >>> *What I am trying to do is to use the user database in the Active
> >> directory
> >>> (users with principals like [EMAIL PROTECTED]M)*
> >>> *
> >>> *
> >>> *To do that, I setup a one-way cross realm as explained here:
> >>>
> >>
> https://ccp.cloudera.com/display/CDH4DOC/Integrating+Hadoop+Security+with+Active+Directory
> >>> *
> >>> *
> >>> *
> >>> *From the linux machine I can authenticate against an active directory
> >> user
> >>> with the kinit command but when I perform a query using the hadoop
> >> command
> >>> I have the following error message:*
> >>> ---------------------
> >>> hdfs@mitkdc:~$ kinit [EMAIL PROTECTED]M
> >>> Password for [EMAIL PROTECTED]M:
> >>>
> >>> hdfs@mitkdc:~$ klist -e
> >>> Ticket cache: FILE:/tmp/krb5cc_10003
> >>> Default principal: [EMAIL PROTECTED]M
> >>>
> >>> Valid starting    Expires           Service principal
> >>> 25/07/2012 11:00  25/07/2012 20:59  krbtgt/[EMAIL PROTECTED]M
> >>> renew until 26/07/2012 11:00, Etype (skey, tkt): arcfour-hmac,

Ivan Frain
11, route de Grenade
31530 Saint-Paul-sur-Save
mobile: +33 (0)6 52 52 47 07
+
Guillaume Polaert 2012-10-15, 10:08
+
Guillaume Polaert 2012-10-15, 13:16
+
Mapred Learn 2012-07-25, 19:07