While enabling Kerberos, there are a series of actions that occur based on information found in the services' Kerberos Descriptor and service advisor code. Sometimes it may be unclear to Ambari what should be done during this process if the user had changed configuration values that disagree with what the Kerberos Descriptor and service advisor are designed to set.

You may be running in the issue presented in https://issues.apache.org/jira/browse/AMBARI-22801.

My only suggestion is to reset the values to what you want after Kerberos has been enabled. Keep in mind that the service engineers originally specified what the appropriate values are for the configurations when Kerberos is enabled. Changing them may result in unexpected errors.

Thanks @Robert Levas for your advice.

After looking deep into the resolution, I found an interesting article here: https://cwiki.apache.org/confluence/display/AMBARI/Automated+Kerberizaton

As we can see in the article, configurations changed based on different services' Kerberos Descriptor, which is a JSON-formatted text file containing information needed by Ambari to enable or disable Kerberos for a stack and its services. Therefore, if we wanna keep some configurations unchange while we "Enabling Kerberos/Adding Components/Regenerating Keytabs", we can just modify different services' Kerberos Descriptor.

The services' Kerberos Descriptor must be named kerberos.json and should be in the root directory of the relevant stack or service. Usually this file is under path "/var/lib/ambari-server/resources/stacks/HDP/3.0/services/:service_name/*".

However, as @Robert Levas mentioned above, "the service engineers originally specified what the appropriate values are for the configurations when Kerberos is enabled. Changing them may result in unexpected errors." If you really wanna change some configs and don't want it be overwritten by kerberos, just modify the kerberos.json file, but be careful.

Hope this can help others.