Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Impala after Kerberos hybrid AD/IPA

Impala after Kerberos hybrid AD/IPA

Explorer

Hi everyone,

 

I've a cluster with a FreeIPA as Idm server in trust relation with AD.

 

For policy we have to create the service principals in a AD OU, so i've initialized kerberos in AD scenario.

 

Everithing works but not Impala.

 

More in deep, i've got problem with the statestore, it seems to reverse principals name to AD sAMAccountName.

....

3:02:35.618 PM INFO cc:113 TAcceptQueueServer: Caught TException: SASL(-13): authentication failure: Unable to find a callback: 32775

3:02:38.629 PM INFO cc:420 Kerberos principal should be of the form: <service>/<hostname>@<realm> - got: hsoCjEqvNJ@REALM.MASK

....

there is a way to force impala to not canonicalize the principals ?

 

CDH 5.16.1

CM 6.13.1

 

Thanks in advance,

Ivan

1 REPLY 1

Re: Impala after Kerberos hybrid AD/IPA

Explorer

Hi,

 

Adding new informations,

 

On impala deamons logs  i can see that impala is using sAMAccountName as short username:

 

3:03:00.473 PM INFO cc:362 Logged in from keytab as impala/MASK_HOSTNAME@RELAM.MASK(short username hsoCjEqvNJ@realm.mask)

3:03:00.474 PM INFO cc:866 Kerberos ticket granted to impala/MASK_HOSTNAME@RELAM.MASK
3:03:00.474 PM INFO cc:730 Using external kerberos principal "impala/MASK_HOSTNAME@RELAM.MASK"

 

Don't have an account?
Coming from Hortonworks? Activate your account here