https://community.cloudera.com/t5/Support-Questions/Kerberized-Clusters-Can-you-have-multiple-keytabs-in-AD/m-p/221214#M183088 <P>Hi Umair,</P><P>Our AD team created a headless keytab without HOST attribute and the keytab with same service account name with HOST attribute broke and the headless keytab doesn't work. What is the appropriate syntax for creating headless keytabs in AD? We created it as follows: </P><P>C:\Users\adminname&gt;ktpass /princ serviceaccountname@domain.com /pass securepassword /mapuser serviceaccountname /pType KRB5_NT_PRINCIPA L /out serviceaccountname_headless.keytab Targeting domain controller: hostname.domain.com Failed to set property 'servicePrincipalName' to 'serviceaccountname' on Dn 'CN=serviceaccountname,OU=Hadoop,OU=Secure,OU=Secure,OU=Secure,DC=domain,DC=com': 0x13. WARNING: Unable to set SPN mapping data. If serviceaccountname already has an SPN mapping installed for serviceaccountname, this is no cause for concern. Password successfully set! Key created. Output keytab to serviceaccountname_headless.keytab: Keytab version: 0x502 keysize 57 serviceaccountname@domain.com ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x17 (RC4-HMAC) keylength 16 (A000000000000000000)</P><P>This is the error received when kiniting the headless keytab:</P><P><STRONG>Keytab contains no suitable keys for serviceaccountname@domain.com while getting initial credentials.</STRONG></P> Tue, 16 May 2017 20:31:58 GMT dmmontague 2017-05-16T20:31:58Z