Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Client not found in kerberos database error

Labels:
avatar
author-rank PranayV author-rank
Super Collaborator

Created ‎03-29-2016 06:02 AM

Hello,

All services are failing post enabling kerberos with error - "client not found in kerberos database"

Kinit yields the same error while using svchdfs account through keytab. kinit to svchdfs works fine if logged in through password. Same error post regenerating keytabs.

Appreciate any pointers.

1) HDP 2.3.4.0, Ambari 2.2.0.

2) Pre-created service account are used.

3) AD as Kerberos.

4) AD Structure

OU ---level1---> HADOOP

---level1---> cluster1 - serviceprincipals

---level1---> PROD

--------level2--------> cluster2 serviceprincipals

cluster1 is working fine, cluster2 fails.

Regards

PranayVyas

73,033 Views
0
1 ACCEPTED SOLUTION

avatar
author-rank PranayV author-rank
Super Collaborator

Created ‎04-07-2016 06:09 PM

Thanks emaxwell and Jason. The problem was due to duplicate HTTP and http account in AD. Deleting the centirfy's 'http' account resolved all issues.

View solution in original post

63,502 Views
0 Kudos
0
5 REPLIES 5

avatar
author-rank PranayV author-rank
Super Collaborator

Created ‎03-29-2016 08:31 PM

Hi Jason,

1) Klist from svchdfs says not ticket cache

2) Klist of keytab shows svchdfs-<clustername>@REALM.COM

3) kinit -kt hdfs.headless.keytab svchdfs-<clustername>

We noticed that svchdfs-<clustername> exists at 2 OU's within AD. That could be a cause since kerberos is unable to uniquely identify service account. we are trying to delete the duplicate one.

Regards

Pranay Vyas

63,502 Views

avatar
author-rank emaxwell author-rank
Guru

Created ‎04-06-2016 09:40 PM

Check if the Kerberos realm name in AD is in lowercase. I have seen this problem if that is the case. If it is, you would be able to complete the Kerberos wizard, but service startup will fail with this error. The MIT KDC libraries require the realm to be uppercase for things to work properly.

63,502 Views

avatar
author-rank PranayV author-rank
Super Collaborator

Created ‎04-07-2016 06:09 PM

Thanks emaxwell and Jason. The problem was due to duplicate HTTP and http account in AD. Deleting the centirfy's 'http' account resolved all issues.

63,503 Views
0 Kudos
0

avatar
author-rank aervits
Master Mentor

Created ‎04-07-2016 06:22 PM

I accepted your answer as we want to show exact solution, which was different from what was suggested by others.

63,502 Views
0 Kudos

avatar
author-rank john_trengrove
New Contributor

Created ‎08-31-2017 11:37 PM

As we have been bitten by the AD issues mentioned by @Pranay Vyas. I thought I'd expand upon the issue.

We wanted two clusters as similar as possible for DR purposes and was looking at using different AD OU's but the same cluster name. Please note as in HDP 2.5.5 Ambari 2.4.2, keytabs will be generated following the "name-cluster-name" pattern (i.e. ambari-qa-sandpit).

You can create the two sets of AD principals but it fails (usually around Zookeeper) with the issue "client not found in kerberos database" even though you can see the entities in AD or via an ldapsearch. This means by default you can't have two clusters with the same name connected to the same AD.

We didn't investigate changing the kerberos naming pattern but this could possibly fix the issue.

63,502 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements