https://community.cloudera.com/t5/Support-Questions/Error-while-enabling-kerberos/m-p/69828#M2944 <P><a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/27482">@balusu</a>,</P><P>&nbsp;</P><P>That's great news and the new issue is something completely unrelated it seems.</P><P>When zookeeper tries to login "kinit" that fails since it cannot reach the port.</P><P>&nbsp;</P><P>By default Kerberos uses UDP, so I wonder if UDP packets are being blocked when going to your KDC.</P><P>I would try the following:</P><P>&nbsp;</P><P><FONT face="courier new,courier">klist -kt /var/run/cloudera-scm-agent/process/`ls -lrt /var/run/cloudera-scm-agent/process/ | awk '{print $9}' |grep zookeeper| tail -1`/zookeeper.keytab</FONT></P><P>&nbsp;</P><P>This should show you the zookeer principal</P><P>&nbsp;</P><P>Try running "kinit" like this:</P><P>&nbsp;</P><P>Note the principal name.</P><P><FONT face="courier new,courier">kinit -kt /var/run/cloudera-scm-agent/process/`ls -lrt /var/run/cloudera-scm-agent/process/ | awk '{print $9}' |grep zookeeper| tail -1`/zookeeper.keytab <EM>principal_from_klist_output</EM></FONT></P><P>&nbsp;</P><P>Even if this succeeds, I'd consider forcing Kerberos clients to use TCP just to see by adding this in the [libdefaults] section of your /etc/krb5.conf on the zookeeper host:</P><P>&nbsp;</P><P><STRONG>udp_preference_limit=1</STRONG></P><P>&nbsp;</P><P>Hope some of this helps you track down the cause.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 10 Jul 2018 22:53:13 GMT bgooley 2018-07-10T22:53:13Z