Reply
Explorer
Posts: 10
Registered: ‎08-04-2015

kerberos - invalid principal

I have set up kerberos authentication with Cloudera Manager. However, when the datanode tries to connect to the namenodes (HA) it throws an 'invalid pricipal' error. The servers are in a different domain than the authentication domain but I was under the impression that the dfs.namenode.kerberos.principal and dfs.namenode.kerberos.spnego.principal would allow for this.

II can get this to work if I force all domains to the same kdc realm through the krb5.conf but I would rather not do that.

I am using 5.4 of the CM and CDH. Any advice would be helpful at this point.

Thanks in advance...

 

Highlighted
Cloudera Employee
Posts: 229
Registered: ‎09-23-2013

Re: kerberos - invalid principal

You reconcile dns domain differences to their KERBEROS REALM through the [domain_realms] section of the krb5.conf file, if CM is managing the krb5.conf, you can use the last safety valve to define the entire domain_realms section of the file, e.g.:

 

 

 

[domain_realm]
example.com = EXAMPLE.COM

other.net = OTHER.REALM

hostname.example.com = OTHER.REALM

Explorer
Posts: 10
Registered: ‎08-04-2015

Re: kerberos - invalid principal

That seemed to do the trick, hopefully force the server into a different domain won't break directory authentication.