Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

After enabling kerberos, unable to access any of the Web UI.

avatar

After enabling kerberos, unable to access any of the Web UI. As per HWX docs, SPNEGO has been enabled, but still facing issue in accessing the Web UI. 

22 REPLIES 22

avatar
Master Mentor

@saivenkatg55 

Did you set these parameters?

 

Configure the following environment properties for MIT Kerberos.

  • KRB5_CONFIG: Path for the kerberos ini file.

  • KRB5CCNAME: Path for the kerberos credential cache file.

Please revert 

avatar

the variables are configured in the /etc/krb5.conf

avatar

@Shelton After changing the realm in KDC.conf, now able to execute HDFS commands.

After enabling kerberos, unable to access the any of the WEB UI like hdfs,yarn,mapreduce

avatar
Super Collaborator

 @saivenkatg55 

There are extended desktop configuration items necessary to clue the windows desktop in to what REALM and KDC the cluster is using, as well as what domain names (the ones used by the cluster) map to which kerberos REALM.

 

You need to run this on windows cmd as admin

 

ksetup /addkdc <REALM> <KDC hostname>
ksetup /addhosttorealmmap <httpFS hostname> <REALM>

 

and set SPNEGO settings on browser

Refer: https://docs.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_browser_access_kerberos_prot...

avatar

I am getting below error while doing ktsetup

Failed to create Kerberos key: 5 (0x5)
Failed to open Kerberos Key: 0x5
Failed /AddKdc : 0xc0000001

avatar
Super Collaborator

@saivenkatg55 

 

You should be executing the commands as windows admin user only with corresponding realm and kdc parameters

avatar

ok. ksetup /addhosttorealmmap <httpFS hostname> <REALM>

 

httpFS hostname mean namenode host name ?

avatar
Super Collaborator

httpFS hostname is the hostname of the web UI you want access to.

This command is used to map the domain name being used by cluster nodes to the kerberos REALM they belong to. A specific hostname with domainname can be configured, or all hosts in a domain with a "." before the domain or subdomain. 

Eg:

C:\Windows\system32>ksetup /addhosttorealmmap .example.com CLUSTER.REALM 

 

 It can be run multiple times to add specific domains/hosts to the mapping to the CLUSTER.REALM.

avatar

ksetup has done and changed the below property in mozilla firefoz as per HWX docs, but still the name node UI is not opening 

 

  1. For FireFox:

    Navigate to the about:config URL (type about:config in the address box, then press the Enter key).

    Scroll down to network.negotiate-auth.trusted-uris and change its value to your cluster domain name (For example, .hwx.site).

    Change the value of network.negotiate-auth.delegation-uris to your cluster domain name (For example, .hwx.site).