Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Ambari cluster with Kerberos - wrong principal expected

Labels:
avatar
author-rank milan_sladky
Contributor

Created ‎07-10-2016 03:22 PM

I have successfully enabled Kerberos for Ambari managed cluster. I have used the Wizard to generate the principals and everything. However the datanodes do not connect to namenodes. The reason is following:

2016-07-08 16:10:54,753 INFO ipc.Server (Server.java:doRead(891)) - Socket Reader #1 for port 8020: readAndProcess from client 172.30.52.137 threw exception [org.apache.hadoop.security.authorize.AuthorizationException: User dn/hadoop-poc2-02.int.na.prodxxx.com@HADOOPXXX.COM (auth:KERBEROS) is not authorized for protocol interface org.apache.hadoop.hdfs.server.protocol.DatanodeProtocol, expected client Kerberos principal is dn/172.30.52.137@HADOOPXXX.COM]

They expect principals containing IP address instead of hostnames... I have checked the keytabs and it is generated properly:

Keytab name: FILE:dn.service.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 dn/hadoop-poc2-02.int.na.prodxxx.com@HADOOPXXX.COM
1 dn/hadoop-poc2-02.int.na.prodxxx.com@HADOOPXXX.COM
1 dn/hadoop-poc2-02.int.na.prodxxx.com@HADOOPXXX.COM
1 dn/hadoop-poc2-02.int.na.prodxxx.com@HADOOPXXX.COM
1 dn/hadoop-poc2-02.int.na.prodxxx.com@HADOOPXXX.COM

Any hints?

3,209 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank milan_sladky
Contributor

Created ‎07-11-2016 06:29 AM

hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
2,174 Views
3 REPLIES 3

avatar
Former Member

Created ‎07-10-2016 04:38 PM

@Milan Sladky

Are you sure that the hostname resolution is correct at your end? like `hostname -f` or "/etc/hosts" file ...etc.

It looks suspect because the Error indicates IPAddress "expected client Kerberos principal is dn/172.30.52.137@HADOOPXXX.COM]"

Where as your keytabs looks more valid with the hostname "dn/hadoop-poc2-02.int.na.prodxxx.com@HADOOPXXX.COM"

2,174 Views
0 Kudos

avatar
author-rank milan_sladky
Contributor

Created ‎07-11-2016 06:22 AM

The hostname resolution works fine. However the issue is very likely in reverse lookups for IP addresses.

2,174 Views
0 Kudos

avatar
author-rank milan_sladky
Contributor

Created ‎07-11-2016 06:29 AM

hide-solution

This problem has been solved!

Want to get a detailed solution you have to login/registered on the community

Register/Login
2,175 Views
webinar banner
Announcements
Community Announcements
CommunityOverCode Asia 2024 will be held in Hangzhou from Ju...
What's New @ Cloudera
Apache Flink is Now Generally Available in the Cloudera Stre...
Product Announcements
[ANNOUNCE] Cloudera Data Services 1.5.4 on Private Cloud Rel...
What's New @ Cloudera
Run your Apache NiFi and Apache Kafka workloads on Kubernete...
What's New @ Cloudera
Cloudera DataFlow now powers GenAI pipelines and supports ch...
View More Announcements
meetups banner