https://community.cloudera.com/t5/Archives-of-Support-Questions/unable-to-authenticate-as-quot-username-quot-to-cluster/m-p/235530#M84750 <P><A href="https://community.hortonworks.com/questions/227267/unable-to-authenticate-as-username-to-cluster-afte.html#">@Narendra Neerukonda</A> </P><P>There is a place in the Ambari UI to set "additional realms". This is a comma-delimited list of realm names that Ambari will use to generate special auth-to-local rules. For each realm, Ambari will add the following rule</P><PRE>RULE:[1:$1@$0](.*@REALM)s/@.*//</PRE><P>For your example, you will add "EXAMPLE.COM" to the additional realms field. Ambari will then add the following rule to all auth-to-local rule properties it knows about:</P><PRE>RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//</PRE><P>Then principal names like user@EXAMPLE.COM will be translated into "username" when services are perform auto-to-local rule translations.</P><P>The "Additional Realms" field is found in the administrative Kerberos view... not to be confused with the Kerberos service view. </P><P>Make sure that you have also edited the krb5.conf template that Ambari uses to generate the krb5.conf files so that the realm is known to the Kerberos infrastructure. I assume that you already did this since you are able to kinit as a user from EXAMPLE.COM. Also, make sure that you established a trust relationship between the MIT KDC and the Active Directory. Else, even though you are able to kinit, services will not trust Kerberos tokens for that user and fail authentication. Looking at the error you are seeing, I assume you did this as well since the user appears to have been authenticated.</P> Wed, 07 Nov 2018 22:53:20 GMT rlevas 2018-11-07T22:53:20Z https://community.cloudera.com/t5/Archives-of-Support-Questions/unable-to-authenticate-as-quot-username-quot-to-cluster/m-p/235529#M84749 <P>I enabled kerbros using MIT KDC. MIT KDC has a trust setup with Active Directory. Say my AD realm was "EXAMPLE.COM" and local realm was "HADOOP.CLUSTERNAME.EXAMPLE.COM".</P><P>When i do a kinit &lt;username&gt;@EXAMPLE.COM, i'm able to get a kerberos ticket from the Active Directory. Now this should allow me to use hadoop as "username". However, instead it allows me to use only if i'm "username@EXAMPLE.COM".</P><P>Ex 1:</P><P>once authenticated with kerberos:</P><P>hadoop fs -put &lt;localfile&gt; /user/&lt;username&gt;/ - doesn't allow</P><P>But,</P><P>hadoop fs -mkdir /user/&lt;username&gt;@EXAMPLE.COM</P><P>hadoop fs -put &lt;localfile&gt; ---- this works</P><P>Ex 2:</P><P>hbase shell</P><P>user "username" has permission to access a table but, won't be allowed to access the table unless "username@EXAMPLE.COM" has access to table (or in other words):</P><P>after kinit &lt;username&gt;@EXAMPLE.COM</P><P>grant '&lt;username&gt;','R','tablename' --- will not allow me to access the table whereas grant '&lt;username@EXAMPLE.COM&gt;','R','tablename' will allow me to access the table. </P> Fri, 16 Sep 2022 13:52:39 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/unable-to-authenticate-as-quot-username-quot-to-cluster/m-p/235529#M84749 narendra_klu9 2022-09-16T13:52:39Z https://community.cloudera.com/t5/Archives-of-Support-Questions/unable-to-authenticate-as-quot-username-quot-to-cluster/m-p/235530#M84750 <P><A href="https://community.hortonworks.com/questions/227267/unable-to-authenticate-as-username-to-cluster-afte.html#">@Narendra Neerukonda</A> </P><P>There is a place in the Ambari UI to set "additional realms". This is a comma-delimited list of realm names that Ambari will use to generate special auth-to-local rules. For each realm, Ambari will add the following rule</P><PRE>RULE:[1:$1@$0](.*@REALM)s/@.*//</PRE><P>For your example, you will add "EXAMPLE.COM" to the additional realms field. Ambari will then add the following rule to all auth-to-local rule properties it knows about:</P><PRE>RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//</PRE><P>Then principal names like user@EXAMPLE.COM will be translated into "username" when services are perform auto-to-local rule translations.</P><P>The "Additional Realms" field is found in the administrative Kerberos view... not to be confused with the Kerberos service view. </P><P>Make sure that you have also edited the krb5.conf template that Ambari uses to generate the krb5.conf files so that the realm is known to the Kerberos infrastructure. I assume that you already did this since you are able to kinit as a user from EXAMPLE.COM. Also, make sure that you established a trust relationship between the MIT KDC and the Active Directory. Else, even though you are able to kinit, services will not trust Kerberos tokens for that user and fail authentication. Looking at the error you are seeing, I assume you did this as well since the user appears to have been authenticated.</P> Wed, 07 Nov 2018 22:53:20 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/unable-to-authenticate-as-quot-username-quot-to-cluster/m-p/235530#M84750 rlevas 2018-11-07T22:53:20Z https://community.cloudera.com/t5/Archives-of-Support-Questions/unable-to-authenticate-as-quot-username-quot-to-cluster/m-p/235531#M84751 <P>Thanks <A rel="user" href="https://community.cloudera.com/users/322/rlevas.html" nodeid="322">@Robert Levas</A> This fixed it.</P> Thu, 08 Nov 2018 03:38:10 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/unable-to-authenticate-as-quot-username-quot-to-cluster/m-p/235531#M84751 narendra_klu9 2018-11-08T03:38:10Z https://community.cloudera.com/t5/Archives-of-Support-Questions/unable-to-authenticate-as-quot-username-quot-to-cluster/m-p/235532#M84752 <P><A rel="user" href="https://community.cloudera.com/users/23253/narendraklu9.html" nodeid="23253">@Narendra Neerukonda</A> Awesome... I am glad that I could help. Be sure to accept my answer to close out this issue. </P> Thu, 08 Nov 2018 04:16:14 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/unable-to-authenticate-as-quot-username-quot-to-cluster/m-p/235532#M84752 rlevas 2018-11-08T04:16:14Z