Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ambari Kerberos Wizard: Zookeeper service won't start

avatar
author-rank christopher_w_m
Expert Contributor

Created on ‎07-11-2016 07:36 PM - edited ‎09-16-2022 03:29 AM

We have made it through most of the kerberos wizard but got stuck on the last step where it is attempting to start services. The Zookeeper status check fails and we've found out that zookeeper server is not starting up.

The error in zookeeper.log is:

2016-07-11 14:12:12,565 - INFO  [main:FourLetterWordMain@43] - connecting to localhost 2181
2016-07-11 14:13:34,001 - ERROR [main:QuorumPeerMain@89] - Unexpected exception, exiting abnormally
java.io.IOException: Could not configure server because SASL configuration did not allow the  ZooKeeper server to authenticate itself properly: javax.security.auth.login.LoginException: Receive timed out
        at org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(ServerCnxnFactory.java:207)
        at org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:87)
        at org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(QuorumPeerMain.java:130)
        at org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:111)
        at org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:78)

I've done some research and found this helpful page about Kerberos errors. Running through the list of possible causes and I am at a loss because we were able to progress through the rest of the wizard OK. All the principals were created by Ambari in Active Directory OK. I can also become the zookeeper user, kinit using zk.service.keytab, and klist perfectly fine.

It seems to me that network issues are the most likely... but shouldn't kinit rule out any firewall or hostname issues with kerberos? Is there a config somewhere I'm missing????

We are using Ambari 2.2.2.0 and HDP 2.3.2.0.

5,355 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank TerryP author-rank
Super Collaborator

Created ‎07-12-2016 02:49 PM

Hey @Kit Menke

Have you tried turning off UDP? If not, add the property and value:

udp_preference_limit = 1

to your /etc/krb5.conf and see if that solves your problem.

If you have Ambari managing the krb5.conf, go to Kerberos -> Advanced krb5.conf -> krb5-conf template and add the property to the [libdefaults] section. Save the changes and let Ambari push out the changes to the hosts.

If you are managing the /etc/krb5.conf file, then you will have to add the property and push out changes yourself.

View solution in original post

3,945 Views
6 REPLIES 6

avatar
author-rank sunile_manjee author-rank
Master Guru

Created ‎07-12-2016 04:38 AM

@Kit Menke can you verify your KDC is using udp and not tcp?

3,945 Views
0 Kudos

avatar
author-rank abhi86865
Explorer

Created ‎03-18-2017 06:24 AM

how to verify........?

3,945 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎03-18-2017 11:46 AM

@abhil sam, There are several ways to do this. The easiest is to take a look at the kdc.conf file, usually at /var/kerberos/krb5kdc/kdc.conf. In this file you will see a block that contains something like the following:

[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88

However, it may not have both properties (kdc_ports, kdc_tcp_ports).

  • If it has both, than the KDC is listening on both UDP and TCP sockets on the specified port(s).
  • If it only has kdc_ports, than it is listening on UDP only.
  • If it only has kdc_tcp_ports, then it is listening on TCP only.

Another way is to use the netcat (nc) utility:

TCP: nc -vz -t hostname 88
UDP: nc -vz -u hostname 88

You seem to need to use the actual hostname or FQDN for the UDP socket test to work. I tried localhost and it didn't work.

Examples:

[root@my_hostname ~]# nc -vz -u my_hostname 88
Connection to my_hostname 88 port [udp/kerberos] succeeded!


[root@my_hostname ~]# nc -vz -t my_hostname 88
Connection to my_hostname 88 port [tcp/kerberos] succeeded!
3,945 Views
0 Kudos

avatar
author-rank abhi86865
Explorer

Created ‎03-19-2017 06:47 AM

when i try for tcp port i am getting connection refused

for udp it is ok...

what could be the reason

3,945 Views
0 Kudos

avatar
author-rank TerryP author-rank
Super Collaborator

Created ‎07-12-2016 02:49 PM

Hey @Kit Menke

Have you tried turning off UDP? If not, add the property and value:

udp_preference_limit = 1

to your /etc/krb5.conf and see if that solves your problem.

If you have Ambari managing the krb5.conf, go to Kerberos -> Advanced krb5.conf -> krb5-conf template and add the property to the [libdefaults] section. Save the changes and let Ambari push out the changes to the hosts.

If you are managing the /etc/krb5.conf file, then you will have to add the property and push out changes yourself.

3,946 Views

avatar
author-rank christopher_w_m
Expert Contributor

Created ‎07-13-2016 09:12 PM

Thanks @Terry Padgett! This worked and we were able to start zookeeper after adding this entry in ambari. Looks like we'll need to follow up with networking to see about opening up UDP.

3,945 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements