You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2017/03/27 16:55:41 UTC

[jira] [Commented] (AMBARI-20586) Add (optional) master_kdcs to kerberos-env and generated krb5.conf file

    [ https://issues.apache.org/jira/browse/AMBARI-20586?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15943630#comment-15943630 ] 

Robert Levas commented on AMBARI-20586:
---------------------------------------

[~bsari]

{quote}
Add (optional) master_kdcs to kerberos-env and generated krb5.conf file. If kerberos-env/master_kdcs is not empty, it should contain a list of IP addresses or FQDNs for one or more KDCs. Multiple entries should be comma-delimited.
{quote}

I cannot find any examples where multiple master KDCs are allowed... so maybe this should only support a single master KDC for now; and, if needed, the feature can be expanded to allow for multiple master KDCs.

> Add (optional) master_kdcs to kerberos-env and generated krb5.conf file
> -----------------------------------------------------------------------
>
>                 Key: AMBARI-20586
>                 URL: https://issues.apache.org/jira/browse/AMBARI-20586
>             Project: Ambari
>          Issue Type: Bug
>            Reporter: Balázs Bence Sári
>            Assignee: Balázs Bence Sári
>             Fix For: 3.0.0, 2.5.1
>
>         Attachments: AMBARI-20586-Master-kdc_trunk_v2.patch
>
>
> Add (optional) {{master_kdcs}} to {{kerberos-env}} and generated krb5.conf file. If {{kerberos-env/master_kdcs}} is not empty, it should contain a list of IP addresses or FQDNs for one or more KDCs. Multiple entries should be comma-delimited.
> According to https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html:
> {quote} 
> master_kdc
> Identifies the master KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the master KDC, in case the user’s password has just been changed, and the updated database has not been propagated to the slave servers yet.
> {quote}
> This should help with scenarios where multiple KDCs are in a master/slave (or replicated) configuration. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)