0

Trying to authenticate between two different AD domains using a keytab, in order to read from a Kafka topic.

So system A has AD domain A, a valid user/keytab in domain A etc, a valid sentry role, a Kafka topic, consumer group etc.

System B is in AD domain B, and the keytab from system A.

Is there anyway to read from the Kafka topic? If I had the system A AD domain details into the system B krb5.conf file, I can see the topic. When I remove it, it fails. Our experiment is to do this without allowing system B to contact our kdc however.

Is there anyway to do this? We've tried using Java and scala.

Chompers
  • 11
  • 2
  • You will need (at least) a one-way trust configured between your realms. https://community.cloudera.com/t5/Community-Articles/How-does-a-cross-realm-trust-work/ta-p/245705 – mazaneicha Sep 16 '19 at 14:18
  • Yes, that’s what we’re finding. I was assured by an architect that it ws possible, but nothing is working yet. Just thought I’d ask if anyone has solved it. I was pointed to some Confluent doco, but that all assumes you’re in the same realm. – Chompers Sep 16 '19 at 14:21
  • Its being done everywhere all the time :) Your AD admins should just follow the config guide. – mazaneicha Sep 16 '19 at 14:24

0 Answers0