Mauro Cazzari <mymagi...@gmail.com> writes: > I'm relatively new to Kerberos, so please forgive me if my question > might sound dumb.
> I'm trying to access a secured Hadoop environment from a Windows > machine. The Hadoop cluster uses its own realm. I installed MIT > Kerberos on the Windows box and configured it so that I can successfully > obtain tickets, but I'd like to see if there is a way to instead use the > tickets that are generated through AD when I log on to Windows. My > understanding is that a one-way trust between the AD and the cluster's > KDC could solve the issue. What's not clear is whether I need to define > anything at all at the AD level. I'm thinking that since I'm trying to > gain access to the realm associated with the Hadoop cluster, all I need > to do is to add a principal to it for the AD realm, the one I want to > trust. After that, I would change the krb5.conf file to make sure the AD > realm is seen. Even one-way trust requires making changes to both KDCs, since for any type of trust you need to have a shared key between AD and the remote KDC. The only difference between one-way trust and two-way trust is that you have only one shared key instead of two shared keys. In theory, one-way trust where you have a krbtgt/<hadoop-realm>@<ad-realm> principal in both KDCs should be sufficient. In practice, I have run into no end of weird trouble with one-way trust, and strongly prefer to set up two-way trust whenever I set up cross-realm trust just to avoid having my head hurt later. Note that you'll also have to configure the Windows side to know to do cross-realm to the Hadoop realm when accessing those resources. There are probably ways to do this with local configuration, but I think domain_realm mappings on Windows are usually also done with AD configuration. (Disclaimer: I've never done the AD side of this setup myself.) -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos