11-14-2013 10:54 PM
When I enabled(configured) the kerberos security using cloudera manager, it is not creating the principals on KDC but it shows all the principals under "Administrations--Kerberos web interface", because of this I am not able to start the cluster with kerberos enabled. May I know what I am doing wrong?
I listed the principals on KDC by command line but I do not see all any of the principals created by cloudera manager.
11-14-2013 10:58 PM
It appears that you have not completed all of the steps necessary to enable hadoop security using cloudera manager, as descibed here:
11-14-2013 11:07 PM
What exaclty step 10 means? does it supposed to create the credentials on KDC or not? - because I see it finished on web interface but I dont see any principals crated on domain controler. So I just want to make sure what I did thus far is good or not before moving to next step.
11-14-2013 11:30 PM
I get the following error(CLIENT not found in kerberos database) - which I think make sense because I do not have principal on KDC.
Unexpected exception, exiting abnormally java.io.IOException: Could not configure server because SASL configuration did not allow the ZooKeeper server to authenticate itself properly: javax.security.auth.login.LoginException: Client not found in Kerberos database (6) - CLIENT_NOT_FOUND at org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(ServerCnxnFactory.java:205) at org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:87) at org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(QuorumPeerMain.java:135) at org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:116) at org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:79)
11-14-2013 11:30 PM
Poke the "generate credentials" button in the Cloudera manager > Administration > Kerberos screen and it should create the principals for you if steps 1-7 were done correctly. At that point you should see them listed in the kerberos web page (after a little bit and a refresh of the page). You will see them in the KDC when you do a "listprincs" command ( within kadmin.local on the KDC or using just kadmin if you are remote to the kdc in your shell).
From there you can continue with the rest of the steps.
When you start the cluster services, CM will distribute the keytabs needed by all the services to start up and inter-operate with each other using kerberos security.
11-14-2013 11:35 PM
Thanks!!! I think I am doing something wrong ...
1.) all the principals shows up on on CM
2.) but no new principals created on KDC for almost hour now.
I used both kdadmin as well as kadmin.local to list the principals ..
I have all the cluster sevices is down except management.