Support Questions

Find answers, ask questions, and share your expertise

Impala after Kerberos hybrid AD/IPA


Hi everyone,


I've a cluster with a FreeIPA as Idm server in trust relation with AD.


For policy we have to create the service principals in a AD OU, so i've initialized kerberos in AD scenario.


Everithing works but not Impala.


More in deep, i've got problem with the statestore, it seems to reverse principals name to AD sAMAccountName.


3:02:35.618 PM INFO cc:113 TAcceptQueueServer: Caught TException: SASL(-13): authentication failure: Unable to find a callback: 32775

3:02:38.629 PM INFO cc:420 Kerberos principal should be of the form: <service>/<hostname>@<realm> - got: hsoCjEqvNJ@REALM.MASK


there is a way to force impala to not canonicalize the principals ?


CDH 5.16.1

CM 6.13.1


Thanks in advance,






Adding new informations,


On impala deamons logs  i can see that impala is using sAMAccountName as short username:


3:03:00.473 PM INFO cc:362 Logged in from keytab as impala/MASK_HOSTNAME@RELAM.MASK(short username hsoCjEqvNJ@realm.mask)

3:03:00.474 PM INFO cc:866 Kerberos ticket granted to impala/MASK_HOSTNAME@RELAM.MASK
3:03:00.474 PM INFO cc:730 Using external kerberos principal "impala/MASK_HOSTNAME@RELAM.MASK"