I have enabled Kerberos using Ambari 2.2 with HDP 2.3.4 with non local user and service accounts, which are stored in AD. However Hive, Storm, Kafka and Hbase starts but then immediately shuts down.
All indicate an issue similar to the following - Authfailed in zookeeper:
Hi @Ancil McBarnett!
Can you connect to Zookeeper from the command line with a valid ticket without any errors?
Is HDFS in HA mode? If yes, can it connect to zookeeper?
Can you obtain a valid kerberos ticket?
Are the user and service keytabs working?
Ok.. got the answer.
For centrify we created service names that were prefixed with the cluster name. This was also done during the Kerberos wizard.
Unfortunately if you do have the cluster with customized service names (as you should, if you are managing multiple clusters in an AD domain), you would have to ensure that zookeeper is aware of it.
We got everything working by setting zookeeper.sasl.client.username to the affected services.
export HADOOP_OPTS="$HADOOP_OPTS -Dzookeeper.sasl.client.username=<cluster prefix>-zookeeper"
to the following: