Thanks for the link to your kerberos bootstrap'er. It seems to work for me. Unfortunately I ran into a secondary problem and I'm not sure how to let Cloudera know about it.
On a clean CDH5.3 virtual machine I started Cloudera Manager and then ran your kerberos bootstrapper. Then I ran the Kerberos configuration wizard in Cloudera Manager. The restart failed to complete successfully. It seemed like the Yarn NameNode was having trouble with the topology.map amd container-executer.cfg file permissions in the /var/run/cloudera-scm-agent/process/??-yarn-NODEMANAGER/ directory (note: ?? is a number generated each time I tried to restart the NodeManager).
On further inspection, and a couple snapshot reverts, I think I found the real problem. the /etc and /etc/hadoop directories have group write permissions set. This was identified in the NodeManager logs. I started again and changed the permissions to remove the group write permission on both directories - before running the Cloudera Manager Kerberos configuration wizard. This time it seems to have worked. note: I hve not yet had a chance to test kerberos actually doing anything from a hdfs/hive/pig user perspective.
Only one last glitch in the system. It looks like Spark does not have Kerberos credentials created for it. The Spark History Server is showing as critical health and its log is identifying missing Kerberos credentials. When I look at the Kerberos Credentials screen in Cloudera Manager I see credentials for all the services excpt Spark. I'm not doing anything with Spark and I don't know anything about it so I'll just stop the service for now.
I am not sure if changing the directory permissions on /etc and /etc/hadoop will adversely affect other functions; but I hope my little investigation can help others.
