https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-cluster-with-Kerberos-wrong-principal-expected/m-p/121662#M34317 <P>The hostname resolution works fine. However the issue is very likely in reverse lookups for IP addresses.</P> Mon, 11 Jul 2016 13:22:40 GMT milan_sladky 2016-07-11T13:22:40Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-cluster-with-Kerberos-wrong-principal-expected/m-p/121660#M34315 <P>I have successfully enabled Kerberos for Ambari managed cluster. I have used the Wizard to generate the principals and everything. However the datanodes do not connect to namenodes. The reason is following:</P><PRE>2016-07-08 16:10:54,753 INFO ipc.Server (Server.java:doRead(891)) - Socket Reader #1 for port 8020: readAndProcess from client 172.30.52.137 threw exception [org.apache.hadoop.security.authorize.AuthorizationException: User dn/hadoop-poc2-02.int.na.prodxxx.com@HADOOPXXX.COM (auth:KERBEROS) is not authorized for protocol interface org.apache.hadoop.hdfs.server.protocol.DatanodeProtocol, expected client Kerberos principal is dn/172.30.52.137@HADOOPXXX.COM]</PRE><P>They expect principals containing IP address instead of hostnames... I have checked the keytabs and it is generated properly:</P><PRE>Keytab name: FILE:dn.service.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 dn/hadoop-poc2-02.int.na.prodxxx.com@HADOOPXXX.COM 1 dn/hadoop-poc2-02.int.na.prodxxx.com@HADOOPXXX.COM 1 dn/hadoop-poc2-02.int.na.prodxxx.com@HADOOPXXX.COM 1 dn/hadoop-poc2-02.int.na.prodxxx.com@HADOOPXXX.COM 1 dn/hadoop-poc2-02.int.na.prodxxx.com@HADOOPXXX.COM </PRE><P>Any hints?</P> Sun, 10 Jul 2016 22:22:39 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-cluster-with-Kerberos-wrong-principal-expected/m-p/121660#M34315 milan_sladky 2016-07-10T22:22:39Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-cluster-with-Kerberos-wrong-principal-expected/m-p/121661#M34316 <P>@<A href="https://community.hortonworks.com/users/10804/milansladky.html">Milan Sladky</A></P><P>Are you sure that the hostname resolution is correct at your end? like `hostname -f` or "/etc/hosts" file ...etc.</P><P>It looks suspect because the Error indicates IPAddress "expected client Kerberos principal is dn/<STRONG>172.30.52.137</STRONG>@HADOOPXXX.COM]"</P><P>Where as your keytabs looks more valid with the hostname "dn/<STRONG>hadoop-poc2-02.int.na.prodxxx.com</STRONG>@HADOOPXXX.COM" </P> Sun, 10 Jul 2016 23:38:06 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-cluster-with-Kerberos-wrong-principal-expected/m-p/121661#M34316 Former Member 2016-07-10T23:38:06Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-cluster-with-Kerberos-wrong-principal-expected/m-p/121662#M34317 <P>The hostname resolution works fine. However the issue is very likely in reverse lookups for IP addresses.</P> Mon, 11 Jul 2016 13:22:40 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-cluster-with-Kerberos-wrong-principal-expected/m-p/121662#M34317 milan_sladky 2016-07-11T13:22:40Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-cluster-with-Kerberos-wrong-principal-expected/m-p/121663#M34318 <P>So the issue was very likely caused by the fact that reverse lookup for IP address is performed. We do not have PTR records and /etc/hosts contains info about current host only. I have added records for all hosts of the cluster to /etc/hosts and it works now.</P><P>Please note that I have dfs.namenode.datanode.registration.<STRONG>ip-hostname-check </STRONG>set to <STRONG>false </STRONG>in custom hdfs-site.xml.</P> Mon, 11 Jul 2016 13:29:04 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ambari-cluster-with-Kerberos-wrong-principal-expected/m-p/121663#M34318 milan_sladky 2016-07-11T13:29:04Z