[37188] in Kerberos
Re: How would windows AD user authenticate with MIT kerberos
daemon@ATHENA.MIT.EDU (Ben Kim)
Mon Aug 3 17:36:54 2015
MIME-Version: 1.0
In-Reply-To: <CALNT6MXnfkC_uYtMWdwHyG7Lh8SX=SmQ-MF0cON8HcxdDKsRUA@mail.gmail.com>
Date: Mon, 3 Aug 2015 16:36:31 -0500
Message-ID: <CAMaDncLzNOKQB+7UpbYuR3MyQ6=xXvgxS=zo-bNdMV5wR5o0pw@mail.gmail.com>
From: Ben Kim <benkimkimben@gmail.com>
To: Todd Grayson <tgrayson@cloudera.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Thank you so much Todd! /addhosttorealmmap was what I was missing :)
On Jul 24, 2015 10:09 AM, "Todd Grayson" <tgrayson@cloudera.com> wrote:
> The windows desktop user has its kerberos credentials from the AD KDC by
> nature of logging into the AD domain (REALM) for their desktop.
>
> The ksetup command on the windows desktop (/addkdc and /addhosttorealmmap)
> allows you to describe the MIT kerberos realm, and how to map fqdn
> hostnames / domain names to a kerberos realm for that windows host (I
> believe group policy can be used to configure at larger scale). This is
> beyond the basic trust you have already established from the domain
> controller (and I assume is working, can you do a hadoop fs -ls as an AD
> user...).
>
> The kerberos credentials get applied in CLI integration with the cluster,
> the command line tools are kerberos authentication aware.
>
> Enabling kerberos within hadoop changes the mode of operation for the
> cluster to secure/isolation mode, and all users must be represented with
> user/group accounts that will be scheduling running jobs.
>
> Generally speaking for windows desktop users getting SPNEGO (kerberos over
> HTTP, "Secure web authentication") and ODBC/JDBC connections working to the
> cluster becomes the bulk of activity... The ksetup docs for /addkdc and
> /addhosttorealmmap are going to be the most critical for you...
> https://technet.microsoft.com/en-us/library/hh240190.aspx
>
> On Fri, Jul 24, 2015 at 8:22 AM, Ben Kim <benkimkimben@gmail.com> wrote:
>
>> Hi
>> Currently I have hadoop system setup with MIT kerberos and built trust
>> between windiws AD server.
>>
>> How would a AD user logged in to windows PC sso authenticate with an
>> application that works with MIT kerberos?
>>
>> Best regards
>> Ben
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
> --
> Todd Grayson
> Customer Operations Engineering
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
