Hi Bob, Thanks for the quick reply. My first thought was that it would be DNS related or something similar, but I can successfully connect/authenticate when I compiled a command line client class with a "normal" userPrincipalName account and an associated keytab. When I change the same test class to use the UPN generated by Ambari and its associated keytab, it always throws the exception listed.
We also have a ticket open with HortonWorks support, but thought the list may be as quick in terms of a direction to pursue. I will reply back when we get more info. Thanks, Steve On Wed, May 27, 2015 at 1:20 PM, Robert Levas <[email protected]> wrote: > Hi Steve… > > We have successfully enable Kerberos on many clusters using AD as the > KDC. My experience is with Windows Server 2012, though. > > The details you are showing for the NN service identity looks correct, > so I don’t think that is an issue. If it wasn’t, Active Directory would > have rejected it upon creation of the account. However if you believe that > the UPN is incorrect, you can disable Kerberos and then re-enbable > Kerberos. However on the 2nd Wizard screen you should edit the "Attribute > template” under the "Advanced kerberos-env” section and change: > > *Original*: "userPrincipalName": "$normalized_principal", > *Updated*: "userPrincipalName": "$principal_name", > > The “Client not found in Kerberos database” indicates that the identity > in question may not have been created. There may be several reason for > this… maybe the UPN is incorrect, maybe the host cannot communicate with > the AD (this could happen if the krb5.conf file is incorrect). > > I hope this helps, > Rob > > > From: Steve Howard <[email protected]> > Reply-To: "[email protected]" <[email protected]> > Date: Wednesday, May 27, 2015 at 10:55 AM > To: "[email protected]" <[email protected]> > Subject: Active Directory as a KDC for Hadoop > > Hi All, > > We are having an issue with the Ambari 2.0 release, and its wizard to > configure Active Directory as a KDC for securing the cluster. We had no > errors during configuration, but none of the services start after it has > been completed. > > Specifically, we get the infamous "Client not found in Kerberos database" > message. This is actually a very simple one node cluster with Ambari and > HDP on Centos 6. We point to a Windows Server 2008 AD DC. When we print > the associated attributes in AD, it looks like the UPN is formatted as a > service principal name, which I don't think AD supports. > > See below for a snippet of the attributes in AD... > > [root@ambari2 ~]# /usr/jdk64/jdk1.7.0_67/bin/java TestAD | strings -a | > grep nn > >>>"CN=nn/ambari2.howard.local,CN=Users" > cn: nn/ambari2.howard.local > userPrincipalName: nn/[email protected] > servicePrincipalName: nn/ambari2.howard.local > distinguishedName: CN=nn/ambari2.howard.local,CN=Users,DC=howard,DC=local > name: nn/ambari2.howard.local > [root@ambari2 ~]# > > Has anyone run in this? Conversely, has anyone gotten AD to work as a > KDC for Hadoop? > > Thanks, > > Steve >
