ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Howard <stevedhow...@gmail.com>
Subject Re: Active Directory as a KDC for Hadoop
Date Fri, 29 May 2015 01:12:51 GMT
Just to close the loop on this, this is definitely an issue with how Server
2008 handles UPN's.  As soon as I installed 2012 R2, with the exact same
config, everything worked.

I had a ticket open with HortonWorks, and have asked them to add the Server
2012 requirement to the documentation for anyone that wants to secure a
cluster with AD kerberos.  Hopefully this will save someone else a lot of
heartburn.

On Wed, May 27, 2015 at 10:55 AM, Steve Howard <stevedhoward@gmail.com>
wrote:

> Hi All,
>
> We are having an issue with the Ambari 2.0 release, and its wizard to
> configure Active Directory as a KDC for securing the cluster.  We had no
> errors during configuration, but none of the services start after it has
> been completed.
>
> Specifically, we get the infamous "Client not found in Kerberos database"
> message.  This is actually a very simple one node cluster with Ambari and
> HDP on Centos 6.  We point to a Windows Server 2008 AD DC.  When we print
> the associated attributes in AD, it looks like the UPN is formatted as a
> service principal name, which I don't think AD supports.
>
> See below for a snippet of the attributes in AD...
>
> [root@ambari2 ~]# /usr/jdk64/jdk1.7.0_67/bin/java TestAD | strings -a |
> grep nn
> >>>"CN=nn/ambari2.howard.local,CN=Users"
> cn: nn/ambari2.howard.local
> userPrincipalName: nn/ambari2.howard.local@HOWARD.LOCAL
> servicePrincipalName: nn/ambari2.howard.local
> distinguishedName: CN=nn/ambari2.howard.local,CN=Users,DC=howard,DC=local
> name: nn/ambari2.howard.local
> [root@ambari2 ~]#
>
> Has anyone run in this?  Conversely, has anyone gotten AD to work as a KDC
> for Hadoop?
>
> Thanks,
>
> Steve
>

Mime
View raw message