Posts: 36
Registered: ‎01-11-2016
Accepted Solution

HDFS command "hdfs dfs -ls /" throws "ls: failure to login" error on Kerberized CDH cluster



I'm not sure if this is in the correct Board/Topic....but I wasn't sure which board to post into.


We have setup a Kerberized CDH cluster (CDH 5.9.0) via the CM Security -> Kerberos Wizard and have the cluster communicating with an MS Active Directory pair for LDAP/Kerberos etc


No issues there.


I have setup a client node that has the following services installed:


  • HDFS HttpFS
  • Hive Gateway
  • HiveServer2
  • Hive WebHCat Server
  • Hue Server
  • Hue Kerberos Ticket Renewer
  • Oozie Server
  • Spark Gateway
  • Sqoop 2 Server
  • YARN (MR2 Included) Gateway



When I try and access HDFS after generating a kerberos TGT for my principal "dreeves", it works, but I cannot then use HDFS...


Please see below.


Any advice and assistance anyone could provide would be great !



[root@{obfuscated-machinename}-ecli001~]#  su - dreeves@{obfuscated-domain}.COM.AU
Last login: Thu Jan 26 06:04:01 AEDT 2017 on pts/1
id: cannot find name for group ID 33600512
Kerberos kinit seems OK:
[dreeves@{obfuscated-domain}@{obfuscated-machinename}]$ kinit dreeves@{obfuscated-domain}.COM.AU
Password for dreeves@{obfuscated-domain}.COM.AU:    {obfuscated-password}
Kerberos klist seems OK:
[dreeves@{obfuscated-domain}@{obfuscated-machinename}]$ klist
Ticket cache: FILE:/tmp/krb5cc_33601114
Default principal: dreeves@{obfuscated-realm}.COM.AU
Valid starting       Expires              Service principal
01/27/2017 08:27:18  01/27/2017 18:27:18  krbtgt/{obfuscated-domain}.COM.AU@{obfuscated-realm}.COM.AU
        renew until 02/03/2017 08:27:07
But HDFS commands have issues:
[dreeves@{obfuscated-domain}@{obfuscated-machinename}]$ hdfs dfs -ls /
ls: failure to login








Posts: 36
Registered: ‎01-11-2016

Re: HDFS command "hdfs dfs -ls /" throws "ls: failure to login" error on Kerberi

Problem resolved....a case of PEBCAK....


I needed to generate the Kerberos user/principal keytab file using the "ktutil" command before trying to "kinit" using the keytab:


kinit dreeves@{obfuscated-realm}.COM.AU -k -t dreeves.keytab



Once that was completed, "hdfs dfs -ls /" worked without a problem.