Re: Trusted-realm vs default-realm kerberos issue

2015-03-24 Thread Michael Segel 
So… 

If I understand, you’re saying you have a one way trust set up so that the 
cluster’s AD trusts the Enterprise AD? 

And by AD you really mean KDC? 

> On Mar 17, 2015, at 2:22 PM, John Lilley  wrote:
> 
> AD

The opinions expressed here are mine, while they may reflect a cognitive 
thought, that is purely accidental. 
Use at your own risk. 
Michael Segel
michael_segel (AT) hotmail.com

Re: Trusted-realm vs default-realm kerberos issue

2015-03-25 Thread Alexander Alten-Lorenz 
Do you have mapping rules, which tells Hadoop that the trusted realm is allowed 
to login? 
http://mapredit.blogspot.de/2015/02/hadoop-and-trusted-mitv5-kerberos-with.html 


BR,
 Alex


> On 24 Mar 2015, at 18:21, Michael Segel  wrote:
> 
> So… 
> 
> If I understand, you’re saying you have a one way trust set up so that the 
> cluster’s AD trusts the Enterprise AD? 
> 
> And by AD you really mean KDC? 
> 
>> On Mar 17, 2015, at 2:22 PM, John Lilley > > wrote:
>> 
>> AD
> 
> The opinions expressed here are mine, while they may reflect a cognitive 
> thought, that is purely accidental. 
> Use at your own risk. 
> Michael Segel
> michael_segel (AT) hotmail.com 
> 
> 
> 
> 
>

RE: Trusted-realm vs default-realm kerberos issue

2015-04-19 Thread John Lilley 
Michael and Alex, thanks for the replies.

The setup is indeed what Michael suggested, that the cluster KDC trusts the 
enterprise AD (which serves as a KDC also).
We did a lot more digging around and testing, and found that the problem was 
largely due to various flaws in our cluster kerb5.conf files not matching 
exactly.  Unfortunately we made so many attempts that I can’t now recall 
exactly what we did to bring it all into line.

john

From: Alexander Alten-Lorenz [mailto:wget.n...@gmail.com]
Sent: Wednesday, March 25, 2015 3:28 AM
To: user@hadoop.apache.org
Subject: Re: Trusted-realm vs default-realm kerberos issue

Do you have mapping rules, which tells Hadoop that the trusted realm is allowed 
to login?
http://mapredit.blogspot.de/2015/02/hadoop-and-trusted-mitv5-kerberos-with.html

BR,
 Alex


On 24 Mar 2015, at 18:21, Michael Segel 
mailto:michael_se...@hotmail.com>> wrote:

So…

If I understand, you’re saying you have a one way trust set up so that the 
cluster’s AD trusts the Enterprise AD?

And by AD you really mean KDC?

On Mar 17, 2015, at 2:22 PM, John Lilley 
mailto:john.lil...@redpoint.net>> wrote:

AD

The opinions expressed here are mine, while they may reflect a cognitive 
thought, that is purely accidental.
Use at your own risk.
Michael Segel
michael_segel (AT) hotmail.com<http://hotmail.com/>