https://community.cloudera.com/t5/Support-Questions/Cluster-non-operational-after-enabling-Kerberos/m-p/183119#M145285 <P>I also have </P><PRE> export HADOOP_ZKFC_OPTS="-Dzookeeper.sasl.client=true -Dzookeeper.sasl.client.username=zookeeper -Djava.security.auth.login.config=/usr/hdp/2.6.0.3-8/hadoop/conf/secure/hdfs_jaas.conf -Dzookeeper.sasl.clientconfig=Client $HADOOP_ZKFC_OPTS"</PRE><P>hdfs_jaas.conf:</P><PRE>Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true useTicketCache=false keyTab="/etc/security/keytabs/nn.service.keytab" principal="nn/namenodehost1.local@MYREALM.FS"; }; </PRE> Tue, 08 May 2018 20:29:01 GMT sadek_mostefai 2018-05-08T20:29:01Z https://community.cloudera.com/t5/Support-Questions/Cluster-non-operational-after-enabling-Kerberos/m-p/183114#M145280 <P>Hi,</P><P>I had enabled Kerberos on my cluster w/o realizing that the hostname was never included on /etc/hosts. I went and did that and also remove and re-add Kerberos. I still cannot get rid of this error:</P><P>nn/namenodehost1.local@MYREALM.FS for zookeeper/10.169.110.22@MYREALM.FS, Server not found in Kerberos database</P><P>As if the _HOST var doesn't get translated to the host's FQDN.</P><P>Any help is really appreciated.</P><P>Sadek</P> Fri, 16 Sep 2022 13:10:19 GMT https://community.cloudera.com/t5/Support-Questions/Cluster-non-operational-after-enabling-Kerberos/m-p/183114#M145280 sadek_mostefai 2022-09-16T13:10:19Z https://community.cloudera.com/t5/Support-Questions/Cluster-non-operational-after-enabling-Kerberos/m-p/183115#M145281 <P>I went ahead and re-built everything from scratch and still having the same issue. Any idea where ZKFC gets its ZK connection string besides ha.zookeeper.quorum ?</P> Tue, 08 May 2018 18:53:16 GMT https://community.cloudera.com/t5/Support-Questions/Cluster-non-operational-after-enabling-Kerberos/m-p/183115#M145281 sadek_mostefai 2018-05-08T18:53:16Z https://community.cloudera.com/t5/Support-Questions/Cluster-non-operational-after-enabling-Kerberos/m-p/183116#M145282 <P><EM> <A href="@Sadek M"> @Sadek M</A></EM></P><P><EM>I would gladly help, but I would need you to share all the steps you executed and the below info.</EM></P><UL><LI><I>HDP /Ambari versions</I></LI><LI><I>Cluster OS</I></LI><LI><I>/etc/hosts entry [Assuming they are identical]</I></LI><LI><I>Number of nodes in Cluster</I></LI><LI><I>KDC setup process</I></LI><LI><I>Ambari Kerberos enabling errors.</I></LI><LI><I>Output of</I></LI></UL><PRE># kadmin.local listprincs</PRE><UL><LI><I><STRONG>kadm5.acl</STRONG> usually in<STRONG> /var/kerberos/krb5kdc</STRONG></I></LI><LI><I><STRONG>krb5.conf</STRONG> in <STRONG>/etc</STRONG><BR /></I></LI></UL><P><EM>Please obfuscate any hostname or sensitive info before sharing </EM></P> Tue, 08 May 2018 19:42:40 GMT https://community.cloudera.com/t5/Support-Questions/Cluster-non-operational-after-enabling-Kerberos/m-p/183116#M145282 Shelton 2018-05-08T19:42:40Z https://community.cloudera.com/t5/Support-Questions/Cluster-non-operational-after-enabling-Kerberos/m-p/183117#M145283 <UL> <LI>HDP-2.6.0.3/ Ambari Version 2.6.1.5 </LI><LI>Centos 7.4 (64bit)</LI><LI>/etc/hosts file only contains FQDN entry for its host. DNS is enabled (forward ONLY).</LI><LI>Cluster nodes: 3 zk + 2 NN (HA node) + Ranger (KMS) + 3 DN.</LI><LI>KDC setup was done following the steps at <A href="https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.4/bk_security/content/install-kdc.html" target="_blank">https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.4/bk_security/content/install-kdc.html</A>. All principals have been created in KDC during Kerberos enabling process. They match what was in the Excel file I'd downloaded.</LI></UL><PRE>/var/kerberos/krb5kdc/kadm5.acl: */admin@MYREALM.FS * </PRE> Tue, 08 May 2018 20:19:33 GMT https://community.cloudera.com/t5/Support-Questions/Cluster-non-operational-after-enabling-Kerberos/m-p/183117#M145283 sadek_mostefai 2018-05-08T20:19:33Z https://community.cloudera.com/t5/Support-Questions/Cluster-non-operational-after-enabling-Kerberos/m-p/183118#M145284 <PRE>/etc/krb5.conf: [libdefaults] renew_lifetime = 7d forwardable = true default_realm = MYREALM.FS ticket_lifetime = 24h dns_lookup_realm = false dns_lookup_kdc = false default_ccache_name = /tmp/krb5cc_%{uid} #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5 #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5 [logging] default = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log kdc = FILE:/var/log/krb5kdc.log [realms] MYREALM.FS = { admin_server = mykdc.local kdc = mykdc.local } </PRE><P>Looking at the hadoop-hdfs-zkfc log file, I am trying to figure out where zkfc gets its zk connection string from:</P><P>2018-05-07 16:12:49,965 INFO zookeeper.ClientCnxn (ClientCnxn.java:logStartConnect(1019)) - Opening socket connection to server 10.169.110.22/10.169.110.22:2181. Will attempt to SASL-authenticate using Login Context section 'Client'.</P> Tue, 08 May 2018 20:23:25 GMT https://community.cloudera.com/t5/Support-Questions/Cluster-non-operational-after-enabling-Kerberos/m-p/183118#M145284 sadek_mostefai 2018-05-08T20:23:25Z https://community.cloudera.com/t5/Support-Questions/Cluster-non-operational-after-enabling-Kerberos/m-p/183119#M145285 <P>I also have </P><PRE> export HADOOP_ZKFC_OPTS="-Dzookeeper.sasl.client=true -Dzookeeper.sasl.client.username=zookeeper -Djava.security.auth.login.config=/usr/hdp/2.6.0.3-8/hadoop/conf/secure/hdfs_jaas.conf -Dzookeeper.sasl.clientconfig=Client $HADOOP_ZKFC_OPTS"</PRE><P>hdfs_jaas.conf:</P><PRE>Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true useTicketCache=false keyTab="/etc/security/keytabs/nn.service.keytab" principal="nn/namenodehost1.local@MYREALM.FS"; }; </PRE> Tue, 08 May 2018 20:29:01 GMT https://community.cloudera.com/t5/Support-Questions/Cluster-non-operational-after-enabling-Kerberos/m-p/183119#M145285 sadek_mostefai 2018-05-08T20:29:01Z https://community.cloudera.com/t5/Support-Questions/Cluster-non-operational-after-enabling-Kerberos/m-p/183120#M145286 <P><EM><A href="https://community.hortonworks.com/questions/189451/@Sadek%20M">@Sadek M</A></EM></P><P><EM>A properly functioning DNS server for your domain and functioning DNS resolvers on machines participating in your Kerberos realm is essential for the proper operation of your realm.</EM></P><P><EM>Kerberos can use DNS as a service location protocol, by using the DNS SRV record as defined in RFC 2052 or use a TXT record to locate the appropriate realm for a given host or domain name.</EM></P><P><EM>Are you using a MIT Kerberos? Can you update your krb5.conf on all the nodes by adding: </EM></P><PRE>[libdefaults] rdns = false </PRE><P><EM>Your problem is a DNS issue, that's the reason I wanted the entries in /etc/hosts. A workaround if you cluster is small you could propagate the correct hosts' files, while you resolve the DNS issue.</EM></P><P></P><P><STRONG><EM>Setting Up KDC Discovery Over DNS</EM></STRONG></P> <P><EM>To use KDC discovery over DNS, the following records should be placed in the<STRONG> zone file</STRONG> corresponding to the Kerberos realm. In most cases, since the Kerberos realm name is simply an uppercase version of the DNS domain owned by the organization, these DNS entries are placed into the organization’s existing DNS zone file. </EM></P><P><EM>Note, however, if the Kerberos realm and DNS domain differ, then a new zone must be created with the name of the Kerberos realm typical your network team should be able to help with the DNS zone update !</EM></P><P><EM>Your zone file example</EM></P><PRE>_kerberos._udp.MYREALM.FS. IN SRV 10 0 88 {your_kdc_server}.myrealm.fs. _kerberos._tcp.MYREALM.FS. IN SRV 10 0 88 {your_kdc_server}.myrealm.fs. _kerberos-adm._tcp.MYREALM.FS. IN SRV 1 0 749 {your_kdc_server}.myrealm.fs.</PRE><P><EM>Hope that helps</EM></P> Tue, 08 May 2018 20:51:10 GMT https://community.cloudera.com/t5/Support-Questions/Cluster-non-operational-after-enabling-Kerberos/m-p/183120#M145286 Shelton 2018-05-08T20:51:10Z https://community.cloudera.com/t5/Support-Questions/Cluster-non-operational-after-enabling-Kerberos/m-p/183121#M145287 <P><EM><A href="https://community.hortonworks.com/questions/189451/@Sadek%20M">@Sadek M</A></EM></P><P><EM>I think you also forgot the entry [domain_realm] I have added it to your original krb5.conf, please backup your current krb5.conf and just copy and paste the one below,</EM></P><PRE>[libdefaults] renew_lifetime = 7d forwardable = true default_realm = MYREALM.FS ticket_lifetime = 24h dns_lookup_realm = false dns_lookup_kdc = false default_ccache_name = /tmp/krb5cc_%{uid} #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5 #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5 [domain_realm] .myrealm.fs = MYREALM.FS myrealm.fs = MYREALM.FS [logging] default = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log kdc = FILE:/var/log/krb5kdc.log [realms] MYREALM.FS = { admin_server = mykdc.local kdc = mykdc.local }</PRE><P><EM>Then restart below Kerberos daemons</EM></P><PRE># service krb5kdc start # service kadmin restart</PRE><P><EM> Please let me know </EM></P> Wed, 09 May 2018 04:39:33 GMT https://community.cloudera.com/t5/Support-Questions/Cluster-non-operational-after-enabling-Kerberos/m-p/183121#M145287 Shelton 2018-05-09T04:39:33Z https://community.cloudera.com/t5/Support-Questions/Cluster-non-operational-after-enabling-Kerberos/m-p/183122#M145288 <P>Adding all nodes in /etc/hosts across all of them fixed the problem. Thanks!</P> Wed, 09 May 2018 04:55:21 GMT https://community.cloudera.com/t5/Support-Questions/Cluster-non-operational-after-enabling-Kerberos/m-p/183122#M145288 sadek_mostefai 2018-05-09T04:55:21Z