[37169] in Kerberos
Re: How would windows AD user authenticate with MIT kerberos
daemon@ATHENA.MIT.EDU (Todd Grayson)
Fri Jul 24 11:09:51 2015
MIME-Version: 1.0
In-Reply-To: <CAMaDncKRRJTLssnPwQG1x=GCLeGqMZm-0Uu+uyOfVi8pah--SQ@mail.gmail.com>
From: Todd Grayson <tgrayson@cloudera.com>
Date: Fri, 24 Jul 2015 09:09:16 -0600
Message-ID: <CALNT6MXnfkC_uYtMWdwHyG7Lh8SX=SmQ-MF0cON8HcxdDKsRUA@mail.gmail.com>
To: Ben Kim <benkimkimben@gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
The windows desktop user has its kerberos credentials from the AD KDC by
nature of logging into the AD domain (REALM) for their desktop.
The ksetup command on the windows desktop (/addkdc and /addhosttorealmmap)
allows you to describe the MIT kerberos realm, and how to map fqdn
hostnames / domain names to a kerberos realm for that windows host (I
believe group policy can be used to configure at larger scale). This is
beyond the basic trust you have already established from the domain
controller (and I assume is working, can you do a hadoop fs -ls as an AD
user...).
The kerberos credentials get applied in CLI integration with the cluster,
the command line tools are kerberos authentication aware.
Enabling kerberos within hadoop changes the mode of operation for the
cluster to secure/isolation mode, and all users must be represented with
user/group accounts that will be scheduling running jobs.
Generally speaking for windows desktop users getting SPNEGO (kerberos over
HTTP, "Secure web authentication") and ODBC/JDBC connections working to the
cluster becomes the bulk of activity... The ksetup docs for /addkdc and
/addhosttorealmmap are going to be the most critical for you...
https://technet.microsoft.com/en-us/library/hh240190.aspx
On Fri, Jul 24, 2015 at 8:22 AM, Ben Kim <benkimkimben@gmail.com> wrote:
> Hi
> Currently I have hadoop system setup with MIT kerberos and built trust
> between windiws AD server.
>
> How would a AD user logged in to windows PC sso authenticate with an
> application that works with MIT kerberos?
>
> Best regards
> Ben
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Todd Grayson
Customer Operations Engineering
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
