https://community.cloudera.com/t5/Archives-of-Support-Questions/AD-Kerberized-cluster-Hive-connection-string/m-p/165545#M45336 <P>Hi</P><P>The Hive principal is not a headless principal , ie the hive principal is dedicated to the HiveServer2 Server . </P><P>So the Principal name always pooints to the Hiveserver2 , which in your case is </P><P>qwang-hdp2. So if you are able to login using</P><PRE>beeline -u "jdbc:hive2://qwang-hdp2:10000/default;principal=hive/qwang-hdp2@REALM.NAME" Then you are good. </PRE> Tue, 08 Nov 2016 06:11:01 GMT pbalasundaram 2016-11-08T06:11:01Z https://community.cloudera.com/t5/Archives-of-Support-Questions/AD-Kerberized-cluster-Hive-connection-string/m-p/165544#M45335 <P>I have some question about the hive jdbc connection string for AD Kerberized cluster.</P><P>Hive server: qwang-hdp2</P><P>Hive clients: qwang-hdp0, qwang-hdp2, qwang-hdp4</P><P>I could connect using beeline using following conn string</P><PRE>beeline -u "jdbc:hive2://qwang-hdp2:10000/default;principal=hive/qwang-hdp2@REALM.NAME" </PRE><P>But not this conn string</P><PRE>beeline -u "jdbc:hive2://qwang-hdp2:10000/default;principal=hive/qwang-hdp0@REALM.NAME"</PRE><P>The only difference is the hive principal, got the following error </P><PRE>Error: Could not open client transport with JDBC Uri: jdbc:hive2://qwang-hdp2:10000/default;principal=hive/qwang-hdp0@REALM.NAME: Peer indicated failure: GSS initiate failed (state=08S01,code=0)</PRE><P>Root is under hadoopadmin principal</P><PRE>[root@qwang-hdp0 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: hadoopadmin@REALM.NAME </PRE><P>Also keytabs are available</P><PRE>[root@qwang-hdp0 ~]# klist -kt /etc/security/keytabs/hive.service.keytab Keytab name: FILE:/etc/security/keytabs/hive.service.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 0 11/02/2016 20:35:50 hive/qwang-hdp0@REALM.NAME 0 11/02/2016 20:35:50 hive/qwang-hdp0@REALM.NAME 0 11/02/2016 20:35:50 hive/qwang-hdp0@REALM.NAME 0 11/02/2016 20:35:50 hive/qwang-hdp0@REALM.NAME 0 11/02/2016 20:35:50 hive/qwang-hdp0@REALM.NAME </PRE><P>Could you suggest any way to trouble shoot why this is happening?</P> Sat, 05 Nov 2016 00:16:01 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/AD-Kerberized-cluster-Hive-connection-string/m-p/165544#M45335 qiwang 2016-11-05T00:16:01Z https://community.cloudera.com/t5/Archives-of-Support-Questions/AD-Kerberized-cluster-Hive-connection-string/m-p/165545#M45336 <P>Hi</P><P>The Hive principal is not a headless principal , ie the hive principal is dedicated to the HiveServer2 Server . </P><P>So the Principal name always pooints to the Hiveserver2 , which in your case is </P><P>qwang-hdp2. So if you are able to login using</P><PRE>beeline -u "jdbc:hive2://qwang-hdp2:10000/default;principal=hive/qwang-hdp2@REALM.NAME" Then you are good. </PRE> Tue, 08 Nov 2016 06:11:01 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/AD-Kerberized-cluster-Hive-connection-string/m-p/165545#M45336 pbalasundaram 2016-11-08T06:11:01Z