Thank you so much Todd! /addhosttorealmmap was what I was missing :) On Jul 24, 2015 10:09 AM, "Todd Grayson" <tgray...@cloudera.com> wrote:
> The windows desktop user has its kerberos credentials from the AD KDC by > nature of logging into the AD domain (REALM) for their desktop. > > The ksetup command on the windows desktop (/addkdc and /addhosttorealmmap) > allows you to describe the MIT kerberos realm, and how to map fqdn > hostnames / domain names to a kerberos realm for that windows host (I > believe group policy can be used to configure at larger scale). This is > beyond the basic trust you have already established from the domain > controller (and I assume is working, can you do a hadoop fs -ls as an AD > user...). > > The kerberos credentials get applied in CLI integration with the cluster, > the command line tools are kerberos authentication aware. > > Enabling kerberos within hadoop changes the mode of operation for the > cluster to secure/isolation mode, and all users must be represented with > user/group accounts that will be scheduling running jobs. > > Generally speaking for windows desktop users getting SPNEGO (kerberos over > HTTP, "Secure web authentication") and ODBC/JDBC connections working to the > cluster becomes the bulk of activity... The ksetup docs for /addkdc and > /addhosttorealmmap are going to be the most critical for you... > https://technet.microsoft.com/en-us/library/hh240190.aspx > > On Fri, Jul 24, 2015 at 8:22 AM, Ben Kim <benkimkim...@gmail.com> wrote: > >> Hi >> Currently I have hadoop system setup with MIT kerberos and built trust >> between windiws AD server. >> >> How would a AD user logged in to windows PC sso authenticate with an >> application that works with MIT kerberos? >> >> Best regards >> Ben >> ________________________________________________ >> Kerberos mailing list Kerberos@mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > > > -- > Todd Grayson > Customer Operations Engineering > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
