Reputation: 390
two clusters with same kerberos realms
I have two ambari clusters called app-cluster and data-cluster. Both are secured by kerberos. Both cluster have its own KDC server. But same realm name(configured by admin team).
Now I want access the name node of data-cluster from app-cluster. But app-cluster don't have a name node principal of data-cluster. So kerberos throwing error like
TGS request result: -1765328377/Server nn/machine@REALM not found in Kerberos database.
I checked the cross realm authentication. It says both realm name should be different.
How can I achieve the cross cluster kerberos authentication with two different master kdc servers with same realm name?
Upvotes: 0
Views: 1213
Answers (1)
Reputation: 53
The problem that I see when having two KDC masters with the same realm name is that there are two different kerberos databases per master, which means that they have different data, encrypt with different master keys, use different salt, and they may even use different encryption types (if installed from different distributions, for example).
For instance, you can make sure that the data is different by executing the following command on both of your masters and then compare the output:
kdb5_util tabdump keydata
The correct case for the cross-realm authentication is when there are two or at least two KDC masters responsible for different realms in different domains and you still want users from one realm to authenticate in another realm:
https://web.mit.edu/KERBEROS/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Cross_002drealm-Authentication.html
When there are two KDCs in one realm and domain it would make sense to make one of them a master KDC and another one - slave. Which leads me to a question - what was the reason for having the second KDC master in the first place?
- Was it HA concerns? Then indeed one of the KDC masters needs to be made a slave KDC.
- Were the both
app-clusteranddata-clusterin different domains? Then it would make sense to have different realms.
If there are no high availability concerns so far (e.g. these two clusters are both still on the stage of development), another option could be to use just one KDC master without any slaves and configure nodes in all clusters to talk to this KDC.
General recommendations on the configuration of a realm:
https://web.mit.edu/kerberos/krb5-1.12/doc/admin/realm_config.html
Upvotes: 0
Related Questions
- Multiple realms
- Kerberos authentication with Hadoop cluster from Spark stand alone cluster running on Kubernetes cluster
- HDFS AuthorizationException
- Hadoop authentication with Kerberos error
- Can't access HDFS when Hadoop cluster kerberized
- Kerberos Authentication on Hadoop Cluster
- Can copy hdfs file from hadoop cluster KERBEROS to other Cluster NOT KERBEROS?
- Ways to enable communication between kerberized and non kerberized environments
- Access two secured (Kerberos) Hadoop / HBase clusters from the same process
- Hadoop distcp between two secured(kerberos) clusters