Support Questions

Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Connecting from Active Directory to a Kerberos Cluster

New Contributor


Does anyone had a chance to work with JDBC and Oozie against a Kerberised cluster with AD?

Created the following topology:

  • A 3 node Hortonworks cluster HDP 2.6 on top of Linux 7.2.
  • 1 Active Directory running on Windows Server 2012.
  • Trusted releations between the cluster domain and Active Directory domain using CA certificate.

I managed to:

  • Connect from Windows client (using the AD server) to Hive2 server using Hortonworks ODBC driver.
  • Connect from any Linux node to Hive2 using Java based beeline.
  • I could not yet connect from Windows client to Hive2 using JDBC connection string.
  • I could not yet connect from Windows client to Oozie using https from a browser.

To test Java connection string I am using DbVisualizer 10.0.4.

Following links describe how to connect to a Kerberised cluster:

But I keep getting GSS initiate failed – meaning it does not recognize the keytabs:

Klist show


Current LogonId is 0:0x1274b1

Cached Tickets: (2)

#0> Client: Administrator @ LABS.LOCAL

Server: krbtgt/LABS.LOCAL @ LABS.LOCAL

KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96

Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize

Start Time: 12/11/2017 15:52:13 (local)

End Time: 12/12/2017 1:52:13 (local)

Renew Time: 12/18/2017 15:52:13 (local)

Session Key Type: AES-256-CTS-HMAC-SHA1-96

Cache Flags: 0x1 -> PRIMARY

Kdc Called: LABS-DC

#1> Client: Administrator @ LABS.LOCAL

Server: hive/act-no-000474.lab.local @ LABS.LOCAL

KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)

Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize

Start Time: 12/11/2017 15:53:15 (local)

End Time: 12/12/2017 1:52:13 (local)

Renew Time: 12/18/2017 15:52:13 (local)

Session Key Type: RSADSI RC4-HMAC(NT)

Cache Flags: 0

Kdc Called: LABS-DC



Super Collaborator

I guess the ticket hive/act-no-000474.lab.local @ LABS.LOCAL is the one used to connect to HIVE, while krbtgt/LABS.LOCAL @ LABS.LOCAL is your Windows AD ticket? What may be the case is that the encryption type is incompatible:

But this is just guessing. Can you try a klist on the Linux machine where the authentication is working?

Another posssible root cause could be that the config for the DBVisualizer doesn't pick tickets from the Windows key store and therefore fails to authenticate. I guess you have not installed an extra Kerberos on the Windows machine, but you use the built-in Kerberos of Windows AD?

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.