Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Server has invalid Kerberos principal

Solved Go to solution
Highlighted

Re: Server has invalid Kerberos principal

I only expect a keytab file to work on the particular host it was distributed to. This is because the service principals have the hostname where the service is running embedded in its name. So it is not recommended to copy them around.

That said, you might want to make sure that the hostname of the hosts is being represented the same via the different mechanisms for getting the host's name.

For example, hostname -f should be the fully qualified domain name (FQDN) of the host and return the same FQDN that was used to register with Ambari.

Highlighted

Re: Server has invalid Kerberos principal

Expert Contributor

This appears to be FQDN issue. Does your DNS resolution happen through a DNS server or hosts file? if it is hosts file make sure all nodes have fqdn followed by their assigned IP address.

View solution in original post

Highlighted

Re: Server has invalid Kerberos principal

@Robert Levas @Pranay Vyas

Name resolution works over a DNS server, but Kerberos seems to ignore it.

Adding IP/Hosts to the /etc/hosts file seems to help, so thank you for the tip!

However, this doesn't solve the problem but generate a different error message:

org.apache.hadoop.yarn.exceptions.YarnRuntimeException: org.apache.hadoop.security.authorize.AuthorizationException: User nm/msas6502i.msg.de@HDP23CLUSTER (auth:KERBEROS) is not authorized for protocol interface org.apache.hadoop.yarn.server.api.ResourceTrackerPB, expected client Kerberos principal is nm/10.100.233.13@HDP23CLUSTER
Highlighted

Re: Server has invalid Kerberos principal

I had to unkerberize and rekerberize the cluster, now it works!

Re: Server has invalid Kerberos principal

@Robert Levas @Pranay Vyas It was definitively a DNS problem: Kerberos can't use the DNS, it can resolve names only over /etc/hosts

Many thanks!

Don't have an account?
Coming from Hortonworks? Activate your account here