Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

kerberos - invalid principal

kerberos - invalid principal

Explorer

I have set up kerberos authentication with Cloudera Manager. However, when the datanode tries to connect to the namenodes (HA) it throws an 'invalid pricipal' error. The servers are in a different domain than the authentication domain but I was under the impression that the dfs.namenode.kerberos.principal and dfs.namenode.kerberos.spnego.principal would allow for this.

II can get this to work if I force all domains to the same kdc realm through the krb5.conf but I would rather not do that.

I am using 5.4 of the CM and CDH. Any advice would be helpful at this point.

Thanks in advance...

 

2 REPLIES 2

Re: kerberos - invalid principal

Super Collaborator

You reconcile dns domain differences to their KERBEROS REALM through the [domain_realms] section of the krb5.conf file, if CM is managing the krb5.conf, you can use the last safety valve to define the entire domain_realms section of the file, e.g.:

 

 

 

[domain_realm]
example.com = EXAMPLE.COM

other.net = OTHER.REALM

hostname.example.com = OTHER.REALM

Highlighted

Re: kerberos - invalid principal

Explorer

That seemed to do the trick, hopefully force the server into a different domain won't break directory authentication.