https://community.cloudera.com/t5/Support-Questions/Spark-job-failure-after-Kerberos-is-enabled/m-p/401446#M251157 <P><SPAN>It appears that the user 'xxxx' has not been synchronized back from LDAP to the local OS on the relevant host. There is a possibility that it could be due to misconfiguration on the AD/LDAP side, preventing correct username resolution and causing the synchronization to fail.&nbsp; Resolve AD/LDAP side problem to overcome this problem.&nbsp;<BR /><BR />Also <A href="https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-authorization/topics/cm-security-authorization-ldap-group-mappings.html" target="_self">Document</A>&nbsp; for CDP 7.1.7&nbsp;<BR /><BR /><BR /><BR /><BR /><BR /></SPAN></P> Tue, 04 Feb 2025 13:55:50 GMT ggangadharan 2025-02-04T13:55:50Z https://community.cloudera.com/t5/Support-Questions/Spark-job-failure-after-Kerberos-is-enabled/m-p/401216#M251090 <P>The error from my Spark job is<BR />++++<BR />Failing this attempt.Diagnostics: Application application_1738011234567_0014 initialization failed (exitCode=255) with output: main : command provided 0<BR />main : run as user is xxxx<BR />main : requested yarn user is xxxx<BR />User xxxx not found<BR />++++</P><P>I read this post &lt;<A href="https://community.cloudera.com/t5/Support-Questions/MapReduce-job-failing-after-kerberos/td-p/160273" target="_blank">https://community.cloudera.com/t5/Support-Questions/MapReduce-job-failing-after-kerberos/td-p/160273</A>&gt;. My group mapping configuration is hadoop.security.group.mapping = org.apache.hadoop.security.LdapGroupsMapping. I kinited xxxx before the job run. I added the AD user xxxx to an AD group hadoop. But I still got the same error.</P><P>This online doc might be appliable &lt;<A href="https://docs.cloudera.com/cdp-private-cloud-base/7.1.8/security-authorization/topics/cm-security-authorization-ldap-group-mappings.html#ariaid-title3" target="_blank">https://docs.cloudera.com/cdp-private-cloud-base/7.1.8/security-authorization/topics/cm-security-authorization-ldap-group-mappings.html#ariaid-title3</A>&gt;<BR />I might need to add the flag -Dcom.cloudera.cmf.service.config.emitLdapBindPasswordInClientConfig=true to the variable CMF_JAVA_OPTS flag. But the documentation is for CDP 7.1.8 and does not exist for 7.1.7, which is my cluster.</P><P>Thank you.</P><P>Best regards,</P> Thu, 30 Jan 2025 18:46:20 GMT https://community.cloudera.com/t5/Support-Questions/Spark-job-failure-after-Kerberos-is-enabled/m-p/401216#M251090 Seaport 2025-01-30T18:46:20Z https://community.cloudera.com/t5/Support-Questions/Spark-job-failure-after-Kerberos-is-enabled/m-p/401446#M251157 <P><SPAN>It appears that the user 'xxxx' has not been synchronized back from LDAP to the local OS on the relevant host. There is a possibility that it could be due to misconfiguration on the AD/LDAP side, preventing correct username resolution and causing the synchronization to fail.&nbsp; Resolve AD/LDAP side problem to overcome this problem.&nbsp;<BR /><BR />Also <A href="https://docs.cloudera.com/cdp-private-cloud-base/7.1.7/security-authorization/topics/cm-security-authorization-ldap-group-mappings.html" target="_self">Document</A>&nbsp; for CDP 7.1.7&nbsp;<BR /><BR /><BR /><BR /><BR /><BR /></SPAN></P> Tue, 04 Feb 2025 13:55:50 GMT https://community.cloudera.com/t5/Support-Questions/Spark-job-failure-after-Kerberos-is-enabled/m-p/401446#M251157 ggangadharan 2025-02-04T13:55:50Z https://community.cloudera.com/t5/Support-Questions/Spark-job-failure-after-Kerberos-is-enabled/m-p/401466#M251171 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/92016">@ggangadharan</a>&nbsp;Thanks for the advice.&nbsp; After I created user xxx on each data node, the Spark job ran successfully.</P><P>Regarding user account synchronization from ldap to local OS, I had to create the user account on each node manually. Do you mean using SSSD?</P><P>Regards,</P> Tue, 04 Feb 2025 23:35:23 GMT https://community.cloudera.com/t5/Support-Questions/Spark-job-failure-after-Kerberos-is-enabled/m-p/401466#M251171 Seaport 2025-02-04T23:35:23Z https://community.cloudera.com/t5/Support-Questions/Spark-job-failure-after-Kerberos-is-enabled/m-p/401477#M251182 <P>If the environment allows , use <STRONG>SSSD</STRONG> with <STRONG>LDAP integration</STRONG> to avoid manually creating Users.&nbsp;<BR />If that's not possible , use <STRONG>Ansible to automate user creation</STRONG> across all nodes.&nbsp;</P> Wed, 05 Feb 2025 08:48:26 GMT https://community.cloudera.com/t5/Support-Questions/Spark-job-failure-after-Kerberos-is-enabled/m-p/401477#M251182 ggangadharan 2025-02-05T08:48:26Z