Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Services Failing After One-Way Trust With AD

Solved Go to solution

Services Failing After One-Way Trust With AD

Contributor

I have got a cluster with Ranger, Ranger KMS, KNOX, and Kerberos (MIT KDC). I've also got HA for Namenode, RM, HiveServer2, Oozie, HBase and Ranger. I've also set up a one-way trust to AD using

https://community.hortonworks.com/articles/59635/one-way-trust-mit-kdc-to-active-directory.html

After setting up the trust, I am able to get tickets for AD users, but my services on cluster start showing error (Mostly UI not accessible). When I run service check, I get the following error:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 401 Authentication required</title>
</head>
<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /webhdfs/v1/user/ambari-qa. Reason:
<pre>    Authentication required</pre></p><hr /><i><small>Powered by Jetty://</small></i><br/>                                                
<br/>                                                
<br/>   

While Rest of the services are fine; Yarn, Hive, Oozie, Ambari Infra and Spark 2 throws the above error on service check.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Services Failing After One-Way Trust With AD

Contributor

Well, the issue has been solved. It seems like a bug in HDP 2.6. After setting up one-way trust, you need to remove [domain_realm] and [capaths] from your krb5.conf. Also, check for spnego keytabs that they are properly created with entries for all encryption types and are present on every node.

1 REPLY 1
Highlighted

Re: Services Failing After One-Way Trust With AD

Contributor

Well, the issue has been solved. It seems like a bug in HDP 2.6. After setting up one-way trust, you need to remove [domain_realm] and [capaths] from your krb5.conf. Also, check for spnego keytabs that they are properly created with entries for all encryption types and are present on every node.