ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Levas <rle...@hortonworks.com>
Subject Re: Active Directory as a KDC for Hadoop
Date Wed, 27 May 2015 17:20:05 GMT
Hi Steve...

We have successfully enable Kerberos on many clusters using AD as the KDC.  My experience
is with Windows Server 2012, though.

The details you are showing for the NN service identity looks correct, so I don't think that
is an issue.  If it wasn't, Active Directory would have rejected it upon creation of the account.
 However if you believe that the UPN is incorrect, you can disable Kerberos and then re-enbable
Kerberos. However on the 2nd Wizard screen you should edit the "Attribute template" under
the "Advanced kerberos-env" section and change:

Original:   "userPrincipalName": "$normalized_principal",
Updated:   "userPrincipalName": "$principal_name",

The "Client not found in Kerberos database" indicates that the identity in question may not
have been created.  There may be several reason for this... maybe the UPN is incorrect, maybe
the host cannot communicate with the AD (this could happen if the krb5.conf file is incorrect).

I hope this helps,
Rob


From: Steve Howard <stevedhoward@gmail.com<mailto:stevedhoward@gmail.com>>
Reply-To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>
Date: Wednesday, May 27, 2015 at 10:55 AM
To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>
Subject: Active Directory as a KDC for Hadoop

Hi All,

We are having an issue with the Ambari 2.0 release, and its wizard to configure Active Directory
as a KDC for securing the cluster.  We had no errors during configuration, but none of the
services start after it has been completed.

Specifically, we get the infamous "Client not found in Kerberos database" message.  This is
actually a very simple one node cluster with Ambari and HDP on Centos 6.  We point to a Windows
Server 2008 AD DC.  When we print the associated attributes in AD, it looks like the UPN is
formatted as a service principal name, which I don't think AD supports.

See below for a snippet of the attributes in AD...

[root@ambari2 ~]# /usr/jdk64/jdk1.7.0_67/bin/java TestAD | strings -a | grep nn
>>>"CN=nn/ambari2.howard.local,CN=Users"
cn: nn/ambari2.howard.local
userPrincipalName: nn/ambari2.howard.local@HOWARD.LOCAL<mailto:nn/ambari2.howard.local@HOWARD.LOCAL>
servicePrincipalName: nn/ambari2.howard.local
distinguishedName: CN=nn/ambari2.howard.local,CN=Users,DC=howard,DC=local
name: nn/ambari2.howard.local
[root@ambari2 ~]#

Has anyone run in this?  Conversely, has anyone gotten AD to work as a KDC for Hadoop?

Thanks,

Steve

Mime
View raw message