Env: Ambari 220.127.116.11,HDP 2.6.0, AD backed kerberos enabled, with spark and other services present
the spark user has been created as spark-CLUSTER(uppercase) as a part of HDP 2.3.2
Now when trying to add new Spark2 service, the keytab is getting generated for user spark-cluster.
I expect this as we have new property principal_suffix converting the cluster name to lower.
starting the spark2 history server fails with "preauthentication failed while getting initial credentials".
while I tried to list using klist on keytab, the entries were for spark-cluster(lower case). However, when we switch as spark user still the ticket it gets is spark-CLUSTER. which is same as the user in AD.
Is this a known issue ? Do we have any documents around this ?
Should I change all the AD principal names to lower case and re-generate the keytabs for all the user principals.
I believe none of the service principals are effected here.
@Geoffrey Shelton, thanks for the document. I am familiar with the auth to local rules and all our custom rules are also working fine. The problem here is with the ambari script that generated the keytabs with principal name as lower case i.e. spark-cluster instead of spark-CLUSTER that is causing the issue.