hey Mike, Are these part of an Active Directory Domain? If so are they pointed at the AD domain controllers that hosts the Kerberos server? Windows AD create SRV records in DNS to help windows clients find the Kerberos server for their domain. If you look you can see if you have a kdc record in Windows DNS and what it's pointing at. Can you do a
kinit *username * on that host? It should tell you if it can find the KDC. Let me know if that's helpful at all. Todd On Fri, Dec 11, 2015 at 1:50 PM, Mike Wright <mwri...@snl.com> wrote: > As part of our implementation, we are utilizing a full "Kerberized" > cluster built on the Hortonworks suite. We're using Job Server as the front > end to initiate short-run jobs directly from our client-facing product > suite. > > 1) We believe we have configured the job server to start with the > appropriate credentials, specifying a principal and keytab. We switch to > YARN-CLIENT mode and can see Job Server attempt to connect to the resource > manager, and the result is that whatever the principal name is, it "cannot > impersonate root." We have been unable to solve this. > > 2) We are primarily a Windows shop, hence our cluelessness here. That > said, we're using the JDBC driver version 4.2 and want to use JavaKerberos > authentication to connect to SQL Server. The queries performed by the job > are done in the driver, and hence would be running on the Job Server, which > we confirmed is running as the principal we have designated. However, when > attempting to connect with this option enabled I receive a "Unable to > obtain Principal Name for authentication" exception. > > Reading this: > > https://msdn.microsoft.com/en-us/library/ms378428.aspx > > We have Kerberos working on the machine and thus have krb5.conf setup > correctly. However the section, " > > Enabling the Domain Configuration File and the Login Module Configuration > File" seems to indicate we've missed a step somewhere. > > Forgive my ignorance here ... I've been on Windows for 20 years and this > is all new to. > > Thanks for any guidance you can provide. >
