Steve... Thanks for the update on this.
Rob From: Steve Howard <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Thursday, May 28, 2015 at 9:12 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: Active Directory as a KDC for Hadoop Just to close the loop on this, this is definitely an issue with how Server 2008 handles UPN's. As soon as I installed 2012 R2, with the exact same config, everything worked. I had a ticket open with HortonWorks, and have asked them to add the Server 2012 requirement to the documentation for anyone that wants to secure a cluster with AD kerberos. Hopefully this will save someone else a lot of heartburn. On Wed, May 27, 2015 at 10:55 AM, Steve Howard <[email protected]<mailto:[email protected]>> wrote: Hi All, We are having an issue with the Ambari 2.0 release, and its wizard to configure Active Directory as a KDC for securing the cluster. We had no errors during configuration, but none of the services start after it has been completed. Specifically, we get the infamous "Client not found in Kerberos database" message. This is actually a very simple one node cluster with Ambari and HDP on Centos 6. We point to a Windows Server 2008 AD DC. When we print the associated attributes in AD, it looks like the UPN is formatted as a service principal name, which I don't think AD supports. See below for a snippet of the attributes in AD... [root@ambari2 ~]# /usr/jdk64/jdk1.7.0_67/bin/java TestAD | strings -a | grep nn >>>"CN=nn/ambari2.howard.local,CN=Users" cn: nn/ambari2.howard.local userPrincipalName: nn/[email protected]<mailto:nn/[email protected]> servicePrincipalName: nn/ambari2.howard.local distinguishedName: CN=nn/ambari2.howard.local,CN=Users,DC=howard,DC=local name: nn/ambari2.howard.local [root@ambari2 ~]# Has anyone run in this? Conversely, has anyone gotten AD to work as a KDC for Hadoop? Thanks, Steve
