Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

HDP 2.6.5 - kerberized - one way trust to AD functional / cannot access webhdfs nor access SOLR console UI

Highlighted

HDP 2.6.5 - kerberized - one way trust to AD functional / cannot access webhdfs nor access SOLR console UI

New Contributor

Hello all,

we've been able to configure one way trust to AD with our HDP 2.6.5.

after removing local user from the local MIT KDC, we can do the following from EDGE node : hdfs dfs -ls /tmp

Now, we have 2 issues which probably boil down to the same.

  1. We cannot access to webhdfs from a firefox enabled browser (which use to be working prior to 1 way trust setup using the local KDC user).
    we've seen https://community.hortonworks.com/questions/73846/spnego-issue-after-setting-up-mit-kdc-one-way-trus... but the solution given is multidirectional.
    we have set in the /etc/krb5.conf the declaration of both AD and local MIT servers, but we have
    [domain_realm]
    AD_domain = LOCAL_MIT_KDC

    we do not have the .AD_domain = LOCAL_MIT_KDC
    Could someone share light on this latter '.' prefixed domain conf use and necessity?

    Also, in hostnames are resolved correctly not from the /etc/host, but using dns (domainname=(None) while dnsdomainname=correct domain. Also, the /etc/hostname contains the fully qualified hostname.
    nsswitch.conf resolves host first by file then dns
    So, in previous linked solution, the suggestion to add fully qualified host in /etc/host seems not necessary, unless some good reason is given.

    do web have to follow both setup described here in order to get access to the webhdfs for browsing content?
  2. we cannot acces the SOLR console UI from ambari
    is there something special to perform on SOLR Cloud to enable access to SOLR console UI after kerberization and/one way trust AD?

for the record, the kerberization of the access to ambari is not done on our side. Could that be the reason for one or both of these behaviour?

looking forward thread of light from other experts

Don't have an account?
Coming from Hortonworks? Activate your account here