You are viewing a plain text version of this content. The canonical link for it is here.

Posted to mapreduce-user@hadoop.apache.org by John Lilley <jo...@redpoint.net> on 2015/03/17 20:22:53 UTC

Trusted-realm vs default-realm kerberos issue

Greetings,

We encountered the issue reported here:
https://issues.cloudera.org/browse/DISTRO-526
It seems that someone should have figured out a workaround by now, does anyone know what it is?

The problem is, the Hadoop installation uses an "Edge" AD controller as its KDC, and that Edge AD controller trusts an "enterprise" AD controller.  Trying to authenticate using the password equivalent of UserGroupInformation.loginUserFromKeytab() with a user in the "enterprise" realm fails, while a user in the "edge" realm succeeds.

Thanks
John

RE: Trusted-realm vs default-realm kerberos issue

Posted by John Lilley <jo...@redpoint.net>.

Michael and Alex, thanks for the replies.

The setup is indeed what Michael suggested, that the cluster KDC trusts the enterprise AD (which serves as a KDC also).
We did a lot more digging around and testing, and found that the problem was largely due to various flaws in our cluster kerb5.conf files not matching exactly.  Unfortunately we made so many attempts that I can’t now recall exactly what we did to bring it all into line.

john

From: Alexander Alten-Lorenz [mailto:wget.null@gmail.com]
Sent: Wednesday, March 25, 2015 3:28 AM
To: user@hadoop.apache.org
Subject: Re: Trusted-realm vs default-realm kerberos issue

Do you have mapping rules, which tells Hadoop that the trusted realm is allowed to login?
http://mapredit.blogspot.de/2015/02/hadoop-and-trusted-mitv5-kerberos-with.html

BR,
 Alex

On 24 Mar 2015, at 18:21, Michael Segel <mi...@hotmail.com>> wrote:

So…

If I understand, you’re saying you have a one way trust set up so that the cluster’s AD trusts the Enterprise AD?

And by AD you really mean KDC?

On Mar 17, 2015, at 2:22 PM, John Lilley <jo...@redpoint.net>> wrote:

AD

The opinions expressed here are mine, while they may reflect a cognitive thought, that is purely accidental.
Use at your own risk.
Michael Segel
michael_segel (AT) hotmail.com<http://hotmail.com/>

RE: Trusted-realm vs default-realm kerberos issue

Posted by John Lilley <jo...@redpoint.net>.

Michael and Alex, thanks for the replies.

The setup is indeed what Michael suggested, that the cluster KDC trusts the enterprise AD (which serves as a KDC also).
We did a lot more digging around and testing, and found that the problem was largely due to various flaws in our cluster kerb5.conf files not matching exactly.  Unfortunately we made so many attempts that I can’t now recall exactly what we did to bring it all into line.

john

From: Alexander Alten-Lorenz [mailto:wget.null@gmail.com]
Sent: Wednesday, March 25, 2015 3:28 AM
To: user@hadoop.apache.org
Subject: Re: Trusted-realm vs default-realm kerberos issue

Do you have mapping rules, which tells Hadoop that the trusted realm is allowed to login?
http://mapredit.blogspot.de/2015/02/hadoop-and-trusted-mitv5-kerberos-with.html

BR,
 Alex

On 24 Mar 2015, at 18:21, Michael Segel <mi...@hotmail.com>> wrote:

So…

If I understand, you’re saying you have a one way trust set up so that the cluster’s AD trusts the Enterprise AD?

And by AD you really mean KDC?

On Mar 17, 2015, at 2:22 PM, John Lilley <jo...@redpoint.net>> wrote:

AD

The opinions expressed here are mine, while they may reflect a cognitive thought, that is purely accidental.
Use at your own risk.
Michael Segel
michael_segel (AT) hotmail.com<http://hotmail.com/>

RE: Trusted-realm vs default-realm kerberos issue

Posted by John Lilley <jo...@redpoint.net>.

Michael and Alex, thanks for the replies.

The setup is indeed what Michael suggested, that the cluster KDC trusts the enterprise AD (which serves as a KDC also).
We did a lot more digging around and testing, and found that the problem was largely due to various flaws in our cluster kerb5.conf files not matching exactly.  Unfortunately we made so many attempts that I can’t now recall exactly what we did to bring it all into line.

john

From: Alexander Alten-Lorenz [mailto:wget.null@gmail.com]
Sent: Wednesday, March 25, 2015 3:28 AM
To: user@hadoop.apache.org
Subject: Re: Trusted-realm vs default-realm kerberos issue

Do you have mapping rules, which tells Hadoop that the trusted realm is allowed to login?
http://mapredit.blogspot.de/2015/02/hadoop-and-trusted-mitv5-kerberos-with.html

BR,
 Alex

On 24 Mar 2015, at 18:21, Michael Segel <mi...@hotmail.com>> wrote:

So…

If I understand, you’re saying you have a one way trust set up so that the cluster’s AD trusts the Enterprise AD?

And by AD you really mean KDC?

On Mar 17, 2015, at 2:22 PM, John Lilley <jo...@redpoint.net>> wrote:

AD

The opinions expressed here are mine, while they may reflect a cognitive thought, that is purely accidental.
Use at your own risk.
Michael Segel
michael_segel (AT) hotmail.com<http://hotmail.com/>

RE: Trusted-realm vs default-realm kerberos issue

Posted by John Lilley <jo...@redpoint.net>.

Michael and Alex, thanks for the replies.

The setup is indeed what Michael suggested, that the cluster KDC trusts the enterprise AD (which serves as a KDC also).
We did a lot more digging around and testing, and found that the problem was largely due to various flaws in our cluster kerb5.conf files not matching exactly.  Unfortunately we made so many attempts that I can’t now recall exactly what we did to bring it all into line.

john

From: Alexander Alten-Lorenz [mailto:wget.null@gmail.com]
Sent: Wednesday, March 25, 2015 3:28 AM
To: user@hadoop.apache.org
Subject: Re: Trusted-realm vs default-realm kerberos issue

Do you have mapping rules, which tells Hadoop that the trusted realm is allowed to login?
http://mapredit.blogspot.de/2015/02/hadoop-and-trusted-mitv5-kerberos-with.html

BR,
 Alex

On 24 Mar 2015, at 18:21, Michael Segel <mi...@hotmail.com>> wrote:

So…

If I understand, you’re saying you have a one way trust set up so that the cluster’s AD trusts the Enterprise AD?

And by AD you really mean KDC?

On Mar 17, 2015, at 2:22 PM, John Lilley <jo...@redpoint.net>> wrote:

AD

The opinions expressed here are mine, while they may reflect a cognitive thought, that is purely accidental.
Use at your own risk.
Michael Segel
michael_segel (AT) hotmail.com<http://hotmail.com/>

Re: Trusted-realm vs default-realm kerberos issue

Posted by Alexander Alten-Lorenz <wg...@gmail.com>.

Do you have mapping rules, which tells Hadoop that the trusted realm is allowed to login? 
http://mapredit.blogspot.de/2015/02/hadoop-and-trusted-mitv5-kerberos-with.html <http://mapredit.blogspot.de/2015/02/hadoop-and-trusted-mitv5-kerberos-with.html>

BR,
 Alex


> On 24 Mar 2015, at 18:21, Michael Segel <mi...@hotmail.com> wrote:
> 
> So… 
> 
> If I understand, you’re saying you have a one way trust set up so that the cluster’s AD trusts the Enterprise AD? 
> 
> And by AD you really mean KDC? 
> 
>> On Mar 17, 2015, at 2:22 PM, John Lilley <john.lilley@redpoint.net <ma...@redpoint.net>> wrote:
>> 
>> AD
> 
> The opinions expressed here are mine, while they may reflect a cognitive thought, that is purely accidental. 
> Use at your own risk. 
> Michael Segel
> michael_segel (AT) hotmail.com <http://hotmail.com/>
> 
> 
> 
> 
>

Re: Trusted-realm vs default-realm kerberos issue

Posted by Alexander Alten-Lorenz <wg...@gmail.com>.

Do you have mapping rules, which tells Hadoop that the trusted realm is allowed to login? 
http://mapredit.blogspot.de/2015/02/hadoop-and-trusted-mitv5-kerberos-with.html <http://mapredit.blogspot.de/2015/02/hadoop-and-trusted-mitv5-kerberos-with.html>

BR,
 Alex


> On 24 Mar 2015, at 18:21, Michael Segel <mi...@hotmail.com> wrote:
> 
> So… 
> 
> If I understand, you’re saying you have a one way trust set up so that the cluster’s AD trusts the Enterprise AD? 
> 
> And by AD you really mean KDC? 
> 
>> On Mar 17, 2015, at 2:22 PM, John Lilley <john.lilley@redpoint.net <ma...@redpoint.net>> wrote:
>> 
>> AD
> 
> The opinions expressed here are mine, while they may reflect a cognitive thought, that is purely accidental. 
> Use at your own risk. 
> Michael Segel
> michael_segel (AT) hotmail.com <http://hotmail.com/>
> 
> 
> 
> 
>

Re: Trusted-realm vs default-realm kerberos issue

Posted by Alexander Alten-Lorenz <wg...@gmail.com>.

Do you have mapping rules, which tells Hadoop that the trusted realm is allowed to login? 
http://mapredit.blogspot.de/2015/02/hadoop-and-trusted-mitv5-kerberos-with.html <http://mapredit.blogspot.de/2015/02/hadoop-and-trusted-mitv5-kerberos-with.html>

BR,
 Alex


> On 24 Mar 2015, at 18:21, Michael Segel <mi...@hotmail.com> wrote:
> 
> So… 
> 
> If I understand, you’re saying you have a one way trust set up so that the cluster’s AD trusts the Enterprise AD? 
> 
> And by AD you really mean KDC? 
> 
>> On Mar 17, 2015, at 2:22 PM, John Lilley <john.lilley@redpoint.net <ma...@redpoint.net>> wrote:
>> 
>> AD
> 
> The opinions expressed here are mine, while they may reflect a cognitive thought, that is purely accidental. 
> Use at your own risk. 
> Michael Segel
> michael_segel (AT) hotmail.com <http://hotmail.com/>
> 
> 
> 
> 
>

Re: Trusted-realm vs default-realm kerberos issue

Posted by Alexander Alten-Lorenz <wg...@gmail.com>.

Do you have mapping rules, which tells Hadoop that the trusted realm is allowed to login? 
http://mapredit.blogspot.de/2015/02/hadoop-and-trusted-mitv5-kerberos-with.html <http://mapredit.blogspot.de/2015/02/hadoop-and-trusted-mitv5-kerberos-with.html>

BR,
 Alex


> On 24 Mar 2015, at 18:21, Michael Segel <mi...@hotmail.com> wrote:
> 
> So… 
> 
> If I understand, you’re saying you have a one way trust set up so that the cluster’s AD trusts the Enterprise AD? 
> 
> And by AD you really mean KDC? 
> 
>> On Mar 17, 2015, at 2:22 PM, John Lilley <john.lilley@redpoint.net <ma...@redpoint.net>> wrote:
>> 
>> AD
> 
> The opinions expressed here are mine, while they may reflect a cognitive thought, that is purely accidental. 
> Use at your own risk. 
> Michael Segel
> michael_segel (AT) hotmail.com <http://hotmail.com/>
> 
> 
> 
> 
>

Re: Trusted-realm vs default-realm kerberos issue

Posted by Michael Segel <mi...@hotmail.com>.

So… 

If I understand, you’re saying you have a one way trust set up so that the cluster’s AD trusts the Enterprise AD? 

And by AD you really mean KDC? 

> On Mar 17, 2015, at 2:22 PM, John Lilley <jo...@redpoint.net> wrote:
> 
> AD

The opinions expressed here are mine, while they may reflect a cognitive thought, that is purely accidental. 
Use at your own risk. 
Michael Segel
michael_segel (AT) hotmail.com

Re: Trusted-realm vs default-realm kerberos issue

Posted by Michael Segel <mi...@hotmail.com>.

So… 

If I understand, you’re saying you have a one way trust set up so that the cluster’s AD trusts the Enterprise AD? 

And by AD you really mean KDC? 

> On Mar 17, 2015, at 2:22 PM, John Lilley <jo...@redpoint.net> wrote:
> 
> AD

The opinions expressed here are mine, while they may reflect a cognitive thought, that is purely accidental. 
Use at your own risk. 
Michael Segel
michael_segel (AT) hotmail.com

Re: Trusted-realm vs default-realm kerberos issue

Posted by Michael Segel <mi...@hotmail.com>.

So… 

If I understand, you’re saying you have a one way trust set up so that the cluster’s AD trusts the Enterprise AD? 

And by AD you really mean KDC? 

> On Mar 17, 2015, at 2:22 PM, John Lilley <jo...@redpoint.net> wrote:
> 
> AD

The opinions expressed here are mine, while they may reflect a cognitive thought, that is purely accidental. 
Use at your own risk. 
Michael Segel
michael_segel (AT) hotmail.com

Re: Trusted-realm vs default-realm kerberos issue

Posted by Michael Segel <mi...@hotmail.com>.

So… 

If I understand, you’re saying you have a one way trust set up so that the cluster’s AD trusts the Enterprise AD? 

And by AD you really mean KDC? 

> On Mar 17, 2015, at 2:22 PM, John Lilley <jo...@redpoint.net> wrote:
> 
> AD

The opinions expressed here are mine, while they may reflect a cognitive thought, that is purely accidental. 
Use at your own risk. 
Michael Segel
michael_segel (AT) hotmail.com