directory-kerby mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Li, Jiajia" <>
Subject RE: Kerby Update
Date Mon, 06 Nov 2017 01:46:17 GMT
Hi Colm,

>>>a) What information is required in the krb5.conf of the tool-dist?
The capaths, realms, domain_realm sections are required, the same as the MIT Kerberos.

>>>b) Could you give an example (using the A.EXAMPLE.COM + B.EXAMPLE.COM
>>>realms) for the "Validate" section of the docs (

To validate the user("test") within realm A.EXAMPLE.COM is trusted to access the resource("hdfs")
in another realm B.EXAMPLE.COM, doing the following steps, the conf dir is "conf":
1. sh bin/ -conf conf test@A.EXAMPLE.COM
We will  get the credential cache( "/tmp/krb5cc_0")
2. sh bin/ -conf conf -c /tmp/krb5cc_0 -S hdfs@B.EXAMPLE.COM
Then we will get the service tgt, MIT Kerberos using  "kvno" to get service tgt in this step.


-----Original Message-----
From: Colm O hEigeartaigh [] 
Sent: Friday, November 3, 2017 7:04 PM
Subject: Re: Kerby Update

Hi Jiajia,

I've been trying to get this new feature working, but unsuccessfully so far
- I get an error:

2017-11-03 10:58:41  INFO{}-Send to kdc success.
2017-11-03 10:58:41  INFO{}-KDC server response with
message: Unknown error
2017-11-03 10:58:41  INFO{}-Unknown error

Could you clarify a few points for me please...

a) What information is required in the krb5.conf of the tool-dist?
b) Could you give an example (using the A.EXAMPLE.COM + B.EXAMPLE.COM
realms) for the "Validate" section of the docs (
It's a little unclear as to how exactly it should be used.


On Mon, Oct 23, 2017 at 2:22 AM, Li, Jiajia <> wrote:

> Hi all,
> Recently we have implemented the cross-realm authentication support, 
> KDC in one realm can authenticate users in a different realm, so it 
> allows client from another realm to access the cluster. Cross-realm 
> authentication is accomplished by sharing a secret key between the two 
> realms. In both backends should have the krbtgt service principals for 
> realms with same passwords, key version numbers, and encryption types. 
> We have used this feature in Hadoop cluster, after establishing cross 
> realm trust between two secure Hadoop clusters with their own realms, 
> copying data between two secure clusters can work now. And this 
> support also can be used to build trust relationship with MIT Kerberos KDC and we have
tested compatibility.
> Here is the document about setting up cross realm:
> md
> Thanks,
> Jiajia

Colm O hEigeartaigh

Talend Community Coder
View raw message