Help Center/ MapReduce Service/ Troubleshooting/ Cluster Management/ Failed to Configure Cross-Cluster Mutual Trust for MRS
Updated on 2023-11-30 GMT+08:00

Failed to Configure Cross-Cluster Mutual Trust for MRS

Symptom

The cross-cluster mutual trust relationship cannot be established between a cluster earlier than MRS 1.8.2 and a cluster later than MRS 1.8.2.

Cause Analysis

After cross-cluster mutual trust is configured, users krbtgt/Local cluster domain name@External cluster domain name and krbtgt/External cluster domain name@Local cluster domain name are added to both clusters. The default passwords for the users of the two clusters are different. As a result, cross-cluster mutual trust fails to be configured.

Procedure

  • Scenario without mutual trust being configured:
    1. Before configuring the mutual trust, log in to the Master node in the cluster of MRS 1.8.2 or later.
    2. Change the value of local cross_realm_account_pwd="${DEFAULT_CROSS_REALM_PWD}" in the add_cross_realm_princ method of the /opt/Bigdata/om-0.0.1/sbin/addRealm.sh script on all master nodes to local cross_realm_account_pwd="${DEFAULT _PWD}" (in line 1001 of the script).

      Perform steps from 1 to 2 on all master nodes in the cluster of MRS 1.8.2 or later.

    3. Then, configure cross-cluster mutual trust by referring to Configuring Cross-Cluster Mutual Trust Relationships.
    4. Check whether the mutual trust relationship is established.
      • If yes, the configuration is complete.
      • If the relationship fails to be established, refresh the client configuration and check whether the trust relationship is established. If the problem persists, contact O&M personnel.
  • Scenario with mutual trust being configured
    1. Log in to the master node in the cluster of MRS 1.8.2 or later.
    2. Run the /home/omm/kerberos/bin/kadmin -p kadmin/admin command and enter the password of the Kerberos client.
    3. Run the listprincs command and press Enter to query user information.

    4. Run the delprinc command to delete users krbtgt/Local cluster domain name@External cluster domain name and krbtgt/External cluster domain name@Local cluster domain name.
    5. Run the quit command to exit the Kerberos client.
    6. Change the value of local cross_realm_account_pwd="${DEFAULT_CROSS_REALM_PWD}" in the add_cross_realm_princ method of the /opt/Bigdata/om-0.0.1/sbin/addRealm.sh script on the master nodes to local cross_realm_account_pwd="${DEFAULT _PWD}" (in line 1001 of the script).
    7. Log in to MRS Manager, and choose Services.
    8. Click More and select Synchronize Configuration.
    9. In the dialog box displayed, select Restart the service or instance whose configuration has expired and click OK.

      During configuration synchronization, the addRealm.sh script is invoked to add the krbtgt user.

      Perform steps from 1 to 9 on all master nodes in the cluster of MRS 1.8.2 or later.

    10. Check whether the mutual trust is established. If it still fails, contact O&M personnel.