Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here. Want to know more about what has changed? Check out the Community News blog.

kerberos - invalid principal

kerberos - invalid principal

Explorer

I have set up kerberos authentication with Cloudera Manager. However, when the datanode tries to connect to the namenodes (HA) it throws an 'invalid pricipal' error. The servers are in a different domain than the authentication domain but I was under the impression that the dfs.namenode.kerberos.principal and dfs.namenode.kerberos.spnego.principal would allow for this.

II can get this to work if I force all domains to the same kdc realm through the krb5.conf but I would rather not do that.

I am using 5.4 of the CM and CDH. Any advice would be helpful at this point.

Thanks in advance...

 

2 REPLIES 2

Re: kerberos - invalid principal

Super Collaborator

You reconcile dns domain differences to their KERBEROS REALM through the [domain_realms] section of the krb5.conf file, if CM is managing the krb5.conf, you can use the last safety valve to define the entire domain_realms section of the file, e.g.:

 

 

 

[domain_realm]
example.com = EXAMPLE.COM

other.net = OTHER.REALM

hostname.example.com = OTHER.REALM

Highlighted

Re: kerberos - invalid principal

Explorer

That seemed to do the trick, hopefully force the server into a different domain won't break directory authentication.