How would windows AD user authenticate with MIT kerberos

Ben Kim benkimkimben at gmail.com
Mon Aug 3 17:36:31 EDT 2015


Thank you so much Todd! /addhosttorealmmap was what I was missing :)
On Jul 24, 2015 10:09 AM, "Todd Grayson" <tgrayson at cloudera.com> wrote:

> The windows desktop user has its kerberos credentials from the AD KDC by
> nature of logging into the AD domain (REALM) for their desktop.
>
> The ksetup command on the windows desktop (/addkdc and /addhosttorealmmap)
> allows you to describe the MIT kerberos realm, and how to map fqdn
> hostnames / domain names to a kerberos realm for that windows host (I
> believe group policy can be used to configure at larger scale).  This is
> beyond the basic trust you have already established from the domain
> controller (and I assume is working, can you do a hadoop fs -ls as an AD
> user...).
>
> The kerberos credentials get applied in CLI integration with the cluster,
> the command line tools are kerberos authentication aware.
>
> Enabling kerberos within hadoop changes the mode of operation for the
> cluster to secure/isolation mode, and all users must be represented with
> user/group accounts that will be scheduling running jobs.
>
> Generally speaking for windows desktop users getting SPNEGO (kerberos over
> HTTP, "Secure web authentication") and ODBC/JDBC connections working to the
> cluster becomes the bulk of activity...   The ksetup docs for /addkdc and
> /addhosttorealmmap are going to be the most critical for you...
> https://technet.microsoft.com/en-us/library/hh240190.aspx
>
> On Fri, Jul 24, 2015 at 8:22 AM, Ben Kim <benkimkimben at gmail.com> wrote:
>
>> Hi
>> Currently I have hadoop system setup with MIT kerberos and built trust
>> between windiws AD server.
>>
>> How would a AD user logged in to windows PC sso authenticate with an
>> application that works with MIT kerberos?
>>
>> Best regards
>> Ben
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
> --
> Todd Grayson
> Customer Operations Engineering
>
>


More information about the Kerberos mailing list