ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Levas <rle...@hortonworks.com>
Subject Re: Active Directory as a KDC for Hadoop
Date Fri, 29 May 2015 01:39:01 GMT
Steve...

Thanks for the update on this.

Rob


From: Steve Howard <stevedhoward@gmail.com<mailto:stevedhoward@gmail.com>>
Reply-To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>
Date: Thursday, May 28, 2015 at 9:12 PM
To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" <user@ambari.apache.org<mailto:user@ambari.apache.org>>
Subject: Re: Active Directory as a KDC for Hadoop

Just to close the loop on this, this is definitely an issue with how Server 2008 handles UPN's.
 As soon as I installed 2012 R2, with the exact same config, everything worked.

I had a ticket open with HortonWorks, and have asked them to add the Server 2012 requirement
to the documentation for anyone that wants to secure a cluster with AD kerberos.  Hopefully
this will save someone else a lot of heartburn.

On Wed, May 27, 2015 at 10:55 AM, Steve Howard <stevedhoward@gmail.com<mailto:stevedhoward@gmail.com>>
wrote:
Hi All,

We are having an issue with the Ambari 2.0 release, and its wizard to configure Active Directory
as a KDC for securing the cluster.  We had no errors during configuration, but none of the
services start after it has been completed.

Specifically, we get the infamous "Client not found in Kerberos database" message.  This is
actually a very simple one node cluster with Ambari and HDP on Centos 6.  We point to a Windows
Server 2008 AD DC.  When we print the associated attributes in AD, it looks like the UPN is
formatted as a service principal name, which I don't think AD supports.

See below for a snippet of the attributes in AD...

[root@ambari2 ~]# /usr/jdk64/jdk1.7.0_67/bin/java TestAD | strings -a | grep nn
>>>"CN=nn/ambari2.howard.local,CN=Users"
cn: nn/ambari2.howard.local
userPrincipalName: nn/ambari2.howard.local@HOWARD.LOCAL<mailto:nn/ambari2.howard.local@HOWARD.LOCAL>
servicePrincipalName: nn/ambari2.howard.local
distinguishedName: CN=nn/ambari2.howard.local,CN=Users,DC=howard,DC=local
name: nn/ambari2.howard.local
[root@ambari2 ~]#

Has anyone run in this?  Conversely, has anyone gotten AD to work as a KDC for Hadoop?

Thanks,

Steve


Mime
View raw message