My Oracle Support Banner

Kerberos on Oracle Big Data Appliance FAQ (Doc ID 1611344.1)

Last updated on OCTOBER 31, 2019

Applies to:

Big Data Appliance Integrated Software - Version 2.3.1 and later
Linux x86-64

Purpose

Frequently Asked Questions for Kerberos on the BDA.

Questions and Answers

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Purpose
Questions and Answers
 What is Kerberos?
 What is the recommended way to integrate Kerberos with Active Directory (AD) on the BDA?
 Is Active Directory without TLS supported on BDA 4.5 and higher?
 What are the benefits of enabling MIT Kerberos with Mammoth vs enabling MIT Kerberos using the Cloudera provided manual setup?
 If you enable Kerberos with Mammoth and make changes, for example checking the box for "Manage krb5.conf through Cloudera Manager", do those changes need to be manually undone when using Mammoth to disable kerberos?
 With what version of the BDA is support for deploying a secure cluster with Kerberos provided via the Mammoth utility?
 If Kerberos is installed with Mammoth or using the the Mammoth reconfiguration utility to configure Kerberos authentication with "./mammoth-reconfig add kerberos" what other manual configuration is required?
 If Kerberos is enabled with the Mammoth reconfiguration utility can the reconfiguration utility be used to remove Kerberos authentication?
 What is a Kerberos Principal?
 What is the format of a Kerberos 5 principal?
 What is a  Kerberos realm?
 What is the KDC?
 What happens if the master KDC nodes goes down?
 If a rack contains multiple clusters is it possible to define each KDC in the cluster with Mammoth?
 What is the best way to handle multiple remote KDCs?
 What is a Keytab File?
 Is /etc/krb5.keytab the system default keytab file?
 What is a Kerberos Database?
 What is the krb5.conf file?
 Where does the krb5.conf file reside?
 What is the layout of /etc/krb5.conf
 What specifically does /etc/krb5.conf on the BDA look like?
 Aside from checking the /etc/krb5.conf [realms] section is there any other way to identify the BDA node running the master and slave KDC and Administration server?
 What can be done if there are Kerberos authentication issues regarding the Kerberos cache?
 What does  the Kerberos server refer to?
 What is a Kerberos Key?
 What is a Kerberos client?
 What does the term application server mean?
 What is krb5kdc?
 What is the krb5kdc service?
 What is the kadmin service?
 Where do the krb5kdc and kadmin services run?
 What information is stored under /var/kerberos/krb5kdc?
 What is the kprop command and kpropd process?
 How often is the Kerberos database dump file propagated from the master KDC to the slave KDC on the BDA?
 If Kerberos is installed by Mammoth should a cmf.keytab file reside under /opt/oracle/BDAMammoth?
 What  Kerberos Utilities should I be aware of?
 What  is cross-realm authentication?
 Should I change the the master key in Kerberos 5?
 What is a good sanity check to make sure that Kerberos is set up and working properly?
 On a Secure cluster should the krb5kdc and kadmin services be started during boot startup?
 In a Kerberos configured cluster, what value should the DataNode Data Directory Permissions (dfs.datanode.data.dir.perm) i.e. permissions for the directories on the local file system where the DataNode stores its blocks the permissions  be set to?  ?
 Will using 700 prevent users in the hive group from accessing data? Is it required to use 750 so the hive user and those in the hive group can access data, but not allow any users in any other groups to access the data?
 What is the krb5prop.sh script doing?
 Is there a set of documented steps for configuring LDAP with Kerberos.?
 krb5.conf contains dns_lookup_kdc=false, but the usage of Kerberos on cluster nodes requires Kerberos realms resolution thru DNS hence dns_lookup_kdc should be set to "true" value. The change of this parameter can be carried on using Cloudera Manager. Does Mammoth overwrite the setting? Does Mammoth propagate the setting to added nodes?
 What  principals are auto generated by Cloudera Manager when Kerberos is enabled on the  cluster?
 Can the CM generated principals be used for running hadoop jobs on the cluster?
 What about BDA Kerberos requirement for a remote KDC?
 Are there any issues to consider when rebuilding the Domain Controller for AD Kerberos on BDA 4.4 as long as no hostname or ips change?
 What documentation is available on SPNEGO Web Browser Authentication?
 Is there other documentation on Kerberos and SPNEGO for a cluster with AD Kerberos but no cross domain trust?
 What documentation is available if a cross realm trust can't be setup to AD?
 Is there any other information on oozie authentication with Kerberos?
 When an AD Kerberos Principal is created do you have the ability to control properties of the principal?
 When a service is moved from one node to another, is the old Kerberos principal removed automatically or do you have to manually go and delete the principal?
 Is there downtime when enabling/disabling Kerberos?
 What might be a reason that a user can not access hdfs after MIT Kerberos authentication?
 If AD Kerberos is manually installed on a cluster i.e. installed without Mammoth, will future Mammoth/bdacli commands work?
 Why is using Sentry without Kerberos not recommended/not supported on BDA?
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.