7.1. Configure Kerberos Hadoop Realm on the AD DC

Configure the Hadoop realm on the AD DC server and set up the one-way trust.

Add the Hadoop Kerberos realm and KDC host to the DC:
ksetup /addkdc $hadoop.realm $KDC-host
Establish one-way trust between the AD domain and the Hadoop realm:
netdom trust $hadoop.realm /Domain:$AD.domain /add /realm /passwordt:$trust_password
(Optional) If Windows clients within the AD domain need to access Hadoop Services, and the domain does not have a search route to find the services in Hadoop realm, run the following command to create a hostmap for Hadoop service host:
ksetup /addhosttorealmmap $hadoop-service-host $hadoop.realm
Note
Run the above for each $hadoop-host that provides services that need to be accessed by Windows clients. For example, Oozie host, WebHCat host, etc.
(Optional) Define the encryption type:
ksetup /SetEncTypeAttr $hadoop.realm $encryption_type
Set encryption types based on your security requirements. Mismatched encryption types cause problems.
Note
Run ksetup /GetEncTypeAttr $krb_realm to list the available encryption types. Verify that the encryption type is configured for the Hadoop realm in the krb5.conf.

	Note
Run the above for each $hadoop-host that provides services that need to be accessed by Windows clients. For example, Oozie host, WebHCat host, etc.

	Note
Run ksetup /GetEncTypeAttr $krb_realm to list the available encryption types. Verify that the encryption type is configured for the Hadoop realm in the krb5.conf.