Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Kerberos error after ambari upgrade

Labels:
avatar
author-rank arunpoy
Guru

Created ‎04-19-2016 11:19 AM

I have raised this question earlier too. But still couldnt solve this issue. Any help would be great. Upgraded ambari from 2.1 to 2.2 and after that if i try to enable kerberos, i do see the error "KDC host unreachable". But in an environment where ambari still 2.1, i dont see this error. Is this a bug in ambari for this upgrade?

Log messages are not clear

19 Apr 2016 05:56:16,683 WARN [qtp-ambari-client-29] KdcServerConnectionVerification:187 - An unexpected exception occurred while attempting to communicate with the KDC server at over TCP 19 Apr 2016 05:56:16,685 WARN [qtp-ambari-client-29] KdcServerConnectionVerification:187 - An unexpected exception occurred while attempting to communicate with the KDC server at over UDP 19 Apr 2016 05:56:16,685 ERROR [qtp-ambari-client-29] KdcServerConnectionVerification:113 - Failed to connect to the KDC at using either TCP or UDP

p.s : i have just deleted the hostname in the above logs for the sake of anonymity

2,002 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎04-19-2016 12:15 PM

@ARUNKUMAR RAMASAMY

If you turn on debugging, the error message will contain the reason for failure. I am not sure why we need to turn on debugging to get more information - you would think that this info would be normally available.

To turn on debugging, edit /etc/ambari-server/conf/log4j.properties and set the following line (line #28) from:

log4j.rootLogger=INFO,file

to

log4j.rootLogger=DEBUG,file

Then restart ambari, try again and see what the error message is.

Since the log will be rather verbose, you will want to search (or grep) for "KdcServerConnectionVerification".

View solution in original post

1,685 Views
4 REPLIES 4

avatar
author-rank jstraub
Guru

Created ‎04-19-2016 11:36 AM

By "enable kerberos" you mean, using Ambari to enable Kerberos security? At what step in the wizard do you see this error?

In general: make sure your /etc/krb5.conf is still correct, especially the KDC host. Make sure your KDC host is running. Try to authenticate yourself on the node itself, basically running "kinit <principal>", afterwards "klist" should show a valid ticket.

Is this a local MIT KDC or are you using an AD KDC?

1,685 Views
0 Kudos

avatar
author-rank arunpoy
Guru

Created ‎04-20-2016 04:49 AM

@Jonas Straub, i am using MIT KDC and it is running fine. kinit and klist are working fine. I am gettign the error , when i click the ënable kerberos" wizard in ambari.

These are the scenarios

1. Lab environment - Ambari 2.2.x (KDC is running on the same machine) - KDC host not reachable is the error

2. Dev environment - Ambari 2.2.x - KDC host not reachable is the error. Before upgrading to 2.2 (in ambari 2.1), i was able to connect to the same KDC which now throws error.

3. Prod environment - Ambari 2.1 - NO error, i am able to connect to the same KDC which is running in the lab environment.

My question is has this upgrade anything to do with this error.

1,685 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎04-19-2016 12:15 PM

@ARUNKUMAR RAMASAMY

If you turn on debugging, the error message will contain the reason for failure. I am not sure why we need to turn on debugging to get more information - you would think that this info would be normally available.

To turn on debugging, edit /etc/ambari-server/conf/log4j.properties and set the following line (line #28) from:

log4j.rootLogger=INFO,file

to

log4j.rootLogger=DEBUG,file

Then restart ambari, try again and see what the error message is.

Since the log will be rather verbose, you will want to search (or grep) for "KdcServerConnectionVerification".

1,686 Views

avatar
author-rank arunpoy
Guru

Created ‎04-20-2016 06:19 AM

Thanks @Robert Levas, I enabled DEBUG and found out the issue. AES 256 was not enabled on the linux machines. Ambari 2.1 doesnt seem to check this strictly, whereas ambari 2.2 is strictly enforcing. Thanks a lot for your help.

1,685 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements