Help Center/ MapReduce Service/ Troubleshooting/ Cluster Management/ Failed to Configure Cross-Cluster Mutual Trust
Updated on 2023-01-11 GMT+08:00
View PDF

Failed to Configure Cross-Cluster Mutual Trust

Symptom

The cross-cluster mutual trust relationship cannot be established between a cluster earlier than MRS 1.8.2 and a cluster later than MRS 1.8.2.

Cause Analysis

After cross-cluster mutual trust relationship is configured, internal users krbtgt/local cluster domain name@external cluster domain name and krbtgt/external cluster domain name@local cluster domain name are added to the two clusters. The default user password is Admin@123 for MRS cluster versions earlier than 1.8.2 and is Crossrealm@123 for MRS cluster 1.8.2 and later. The cross-cluster mutual trust configuration fails because of different user passwords in MRS cluster versions.

Procedure

  • Scenario without mutual trust being configured:
    1. Before configuring the mutual trust, log in to the Master node in the cluster of MRS 1.8.2 or later.
    2. Change the value of local cross_realm_account_pwd="${DEFAULT_CROSS_REALM_PWD}" in the add_cross_realm_princ method of the /opt/Bigdata/om-0.0.1/sbin/addRealm.sh script on all Master nodes to local cross_realm_account_pwd="${DEFAULT _PWD}" (in line 1001 of the script).

      Perform steps from 1 to 2 on all Master nodes in the cluster of MRS 1.8.2 or later.

    3. Then, configure cross-cluster mutual trust by referring to Configuring Cross-Cluster Mutual Trust Relationships.
    4. Check whether the mutual trust relationship is established.
      • If yes, the configuration is complete.
      • If the relationship fails to be established, refresh the client configuration and check whether the trust relationship is established. If the problem persists, submit a service ticket.
  • Scenario with mutual trust being configured
    1. Log in to the Master node in the cluster of MRS 1.8.2 or later.
    2. Run the /home/omm/kerberos/bin/kadmin -p kadmin/admin command and enter the password of the Kerberos client.
    3. Run the listprincs command and press Enter to query user information.

    4. Run the delprinc command to delete users krbtgt/local cluster domain name@external cluster domain name and krbtgt/external cluster domain name@local cluster domain name.
    5. Run the quit command to exit the Kerberos client.
    6. Change the value of local cross_realm_account_pwd="${DEFAULT_CROSS_REALM_PWD}" in the add_cross_realm_princ method of the /opt/Bigdata/om-0.0.1/sbin/addRealm.sh script on the Master nodes to local cross_realm_account_pwd="${DEFAULT _PWD}" (in line 1001 of the script).
    7. Log in to MRS Manager, and choose Services.
    8. Choose More > Synchronize Configuration.
    9. In the dialog box displayed, select Restart the service or instance whose configuration has expired and click OK.

      During configuration synchronization, the addRealm.sh script is invoked to add the krbtgt user.

      Perform steps from 1 to 9 on all Master nodes in the cluster of MRS 1.8.2 or later.

    10. Check whether the mutual trust is established. If it still fails, submit a service ticket.
Parent topic: Cluster Management