Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Plain View
Hadoop, mail # user - Problem setting up Hadoop security with active directory using one-way cross-realm configuration


+
Ivan Frain 2012-07-25, 09:29
+
Mapred Learn 2012-07-25, 14:59
Copy link to this message
-
Re: Problem setting up Hadoop security with active directory using one-way cross-realm configuration
Ivan Frain 2012-07-25, 15:27
Thanks for your answer.

I think I already did what you propose. Some comments in the remaining.
2012/7/25 Mapred Learn <[EMAIL PROTECTED]>

> You need to set up a local realm on your KDC ( linux) and run commands on
> windows AD to add this realm as a trust realm on your AD realm.
>

I set up a KDC on the linux machine  and configure a one-way incoming trust
on AD to be trusted by the local KDC. I set the enc type as well on AD. I
also create the appropriate remote TGT on the local KDC:
krbtgt/[EMAIL PROTECTED]M with the same encoding type
>
> After this you need to modify your /etc/krb5.conf to include this local
> realm as trust realm to your AD realm.
>

Here is the /etc/krb5.conf located in my local kdc on mitkdc.hadoop.realm
machine. May be something is wrong there:

[libdefaults]
    default_realm = HADOOP.REALM
default_tkt_enctypes = arcfour-hmac-md5
default_tgs_enctypes = arcfour-hmac-md5

[realms]
    HADOOP.REALM = {
      kdc = mitkdc.hadoop.realm
        admin_server = mitkdc.hadoop.realm
default_domain = hadoop.realm
    }
 DOMAIN.REALM = {
kdc = ad.domain.realm
admin_server = ad.domain.realm
default_domain = domain.realm
}

[domain_realm]
.hadoop.realm = HADOOP.REALM
hadoop.realm = HADOOP.REALM
.domain.realm = DOMAIN.REALM
domain.realm = DOMAIN.REALM

>
> And then you should be all set.
>
>
I was hoping so but it is not ... yet ... the case

> Sent from my iPhone
>
> On Jul 25, 2012, at 2:29 AM, Ivan Frain <[EMAIL PROTECTED]> wrote:
>
> > *Hi all,*
> > *
> > *
> > *I am trying to setup a one-way cross realm trust between a MIT KDC and
> an
> > active directory server and up to now I did not success.*
> > *I hope someone in this list will be able to help me.*
> > *
> > *
> > *My config is as follows:*
> > *  - hadoop version: 0.23.1 with security enable (kerberos).*
> > *  - hadoop realm (mitkdc): HADOOP.REALM*
> > *  - 1 linux node (mitkdc.hadoop.realm - 192.168.198.254) running : hdfs
> > namenode, hdfs datanode, mit kdc*
> > *  - 1 windows node (ad.domain.realm - 192.168.198.253) running: active
> > directory 2003*
> > *  - AD realm: DOMAIN.REALM*
> > *
> > *
> > *Everything works well with kerberos enabled if I only use the linux
> > machine with users having principal in the mitkdc: [EMAIL PROTECTED]M*
> > *
> > *
> > *What I am trying to do is to use the user database in the Active
> directory
> > (users with principals like [EMAIL PROTECTED]M)*
> > *
> > *
> > *To do that, I setup a one-way cross realm as explained here:
> >
> https://ccp.cloudera.com/display/CDH4DOC/Integrating+Hadoop+Security+with+Active+Directory
> > *
> > *
> > *
> > *From the linux machine I can authenticate against an active directory
> user
> > with the kinit command but when I perform a query using the hadoop
> command
> > I have the following error message:*
> > ---------------------
> > hdfs@mitkdc:~$ kinit [EMAIL PROTECTED]M
> > Password for [EMAIL PROTECTED]M:
> >
> > hdfs@mitkdc:~$ klist -e
> > Ticket cache: FILE:/tmp/krb5cc_10003
> > Default principal: [EMAIL PROTECTED]M
> >
> > Valid starting    Expires           Service principal
> > 25/07/2012 11:00  25/07/2012 20:59  krbtgt/[EMAIL PROTECTED]M
> > renew until 26/07/2012 11:00, Etype (skey, tkt): arcfour-hmac,
> arcfour-hmac
> >
> > hdfs@mitkdc:~$ hadoop/bin/hadoop fs -ls /user
> > 12/07/25 11:00:50 ERROR security.UserGroupInformation:
> > PriviledgedActionException as:[EMAIL PROTECTED]M (auth:KERBEROS)
> > cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by
> > GSSException: No valid credentials provided (Mechanism level: Fail to
> > create credential. (63) - No service creds)]
> > 12/07/25 11:00:50 INFO security.UserGroupInformation: Initiating logout
> for
> > [EMAIL PROTECTED]M
> > 12/07/25 11:00:50 INFO security.UserGroupInformation: Initiating re-login
> > for [EMAIL PROTECTED]M
> > 12/07/25 11:00:53 ERROR security.UserGroupInformation:
> > PriviledgedActionException as:[EMAIL PROTECTED]M (auth:KERBEROS)
> > cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by

Ivan Frain
11, route de Grenade
31530 Saint-Paul-sur-Save
mobile: +33 (0)6 52 52 47 07
+
Mapred Learn 2012-07-25, 16:11
+
Ivan Frain 2012-07-25, 16:25
+
Guillaume Polaert 2012-10-15, 10:08
+
Guillaume Polaert 2012-10-15, 13:16
+
Mapred Learn 2012-07-25, 19:07