Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

MIT Kerberos to Active Directory migration issue

avatar
author-rank ebeb
Expert Contributor

Created on ‎01-08-2021 12:36 PM - edited ‎01-08-2021 12:45 PM

Hello Experts,

After changing MIT Kerberos to AD Kerberos and Regenerating all the Kerberos credentials in CM the zookeeper, YARN etc. is not starting. There is an error about the Active Directory samaccount not able to login as the zookeeper principal. I checked that the principals are created in the AD OrgUnit for Cloudera. And the $ kinit -kt zookeeper.keytab zookeeper/redacted@ADREALM on the linux servers works fine.  

Any thoughts how to fix?

 

SERVICE_TYPEZOOKEEPER SEVERITYCRITICAL 

STACKTRACE

javax.security.sasl.SaslException: Problem with callback handler [Caused by javax.security.sasl.SaslException: redacted@ADREALM.COM is not authorized to connect as zookeeper/redacted@ADREALM.COM] at com.sun.security.sasl.gsskerb.GssKrb5Server.doHandshake2(GssKrb5Server.java:333) at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:161) at org.apache.zookeeper.server.quorum.auth.SaslQuorumAuthServer.authenticate(SaslQuorumAuthServer.java:98) at org.apache.zookeeper.server.quorum.QuorumCnxManager.handleConnection(QuorumCnxManager.java:449) at org.apache.zookeeper.server.quorum.QuorumCnxManager.receiveConnection(QuorumCnxManager.java:387) at org.apache.zookeeper.server.quorum.QuorumCnxManager$QuorumConnectionReceiverThread.run(QuorumCnxManager.java:423) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: javax.security.sasl.SaslException: 

 

Thanks!

 

2,178 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank GangWar author-rank
Master Guru

Created ‎01-09-2021 06:42 AM

@ebeb From the logs seems like you are hitting a Java bug. This happens after upgrading the JDK version, on Open JDK versions after JDK8u262 this is due to: https://bugs.openjdk.java.net/browse/JDK-8230496

 

Resolution: 

Edit java.security file located in the active JDK on the clusters.

Add or alter sun.security.krb5.disableReferrals parameter, to ensure that the following is set to true:
sun.security.krb5.disableReferrals=true

You may find the Active JDK version being used by CDH by using the bigtop script to load the JAVA_HOME
source /opt/cloudera/parcels/CDH/bin/bigtop-detect-javahome
echo $JAVA_HOME
echo "sun.security.krb5.disableReferrals=true" >> $JAVA_HOME/jre/lib/security/java.security

Restart the service. 


Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

2,269 Views
1
3 REPLIES 3

avatar
author-rank GangWar author-rank
Master Guru

Created ‎01-09-2021 06:42 AM

@ebeb From the logs seems like you are hitting a Java bug. This happens after upgrading the JDK version, on Open JDK versions after JDK8u262 this is due to: https://bugs.openjdk.java.net/browse/JDK-8230496

 

Resolution: 

Edit java.security file located in the active JDK on the clusters.

Add or alter sun.security.krb5.disableReferrals parameter, to ensure that the following is set to true:
sun.security.krb5.disableReferrals=true

You may find the Active JDK version being used by CDH by using the bigtop script to load the JAVA_HOME
source /opt/cloudera/parcels/CDH/bin/bigtop-detect-javahome
echo $JAVA_HOME
echo "sun.security.krb5.disableReferrals=true" >> $JAVA_HOME/jre/lib/security/java.security

Restart the service. 


Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
2,270 Views
1

avatar
author-rank ebeb
Expert Contributor

Created ‎01-09-2021 09:19 AM

@GangWar you are a genius! After this java parameter change all CDH services started smoothly and everything running fine with Active Directory kerberos. Thanks so much!
2,139 Views
0 Kudos

avatar
author-rank NoobSter
New Contributor

Created ‎10-02-2023 10:17 PM

Can you please help me on how can I migrate from MIT kerberos to AD kerberos if currently MIT kerberos is being used by 6000+ applications, or can you share some documentation on how to do it? 

1,264 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements