Support Questions

sparsh_singhal · ‎04-18-2018

I have got a cluster with Ranger, Ranger KMS, KNOX, and Kerberos (MIT KDC). I've also got HA for Namenode, RM, HiveServer2, Oozie, HBase and Ranger. I've also set up a one-way trust to AD using

https://community.hortonworks.com/articles/59635/one-way-trust-mit-kdc-to-active-directory.html

After setting up the trust, I am able to get tickets for AD users, but my services on cluster start showing error (Mostly UI not accessible). When I run service check, I get the following error:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
<title>Error 401 Authentication required</title>
</head>
<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /webhdfs/v1/user/ambari-qa. Reason:
<pre>    Authentication required</pre></p><hr /><i><small>Powered by Jetty://</small></i><br/>                                                
<br/>                                                
<br/>

While Rest of the services are fine; Yarn, Hive, Oozie, Ambari Infra and Spark 2 throws the above error on service check.

sparsh_singhal · ‎05-16-2018

Well, the issue has been solved. It seems like a bug in HDP 2.6. After setting up one-way trust, you need to remove [domain_realm] and [capaths] from your krb5.conf. Also, check for spnego keytabs that they are properly created with entries for all encryption types and are present on every node.

View solution in original post

sparsh_singhal · ‎05-16-2018

Well, the issue has been solved. It seems like a bug in HDP 2.6. After setting up one-way trust, you need to remove [domain_realm] and [capaths] from your krb5.conf. Also, check for spnego keytabs that they are properly created with entries for all encryption types and are present on every node.

Cloudera Community

Support Questions

Services Failing After One-Way Trust With AD