@divyank  Have you resolved this issue if not the issue you're encountering is common when Kerberos is enabled for HDFS, as it introduces authentication requirements that need to be properly configured. Here’s how to diagnose and resolve the problem: 1. Root Cause Analysis When Kerberos is enabled: Authentication: Every interaction with HDFS now requires a Kerberos ticket. Misconfiguration: The HDFS service or client-side configurations may not be aligned with Kerberos requirements. Keytabs: Missing or improperly configured keytab files for the HDFS service or users accessing the service. Browser Access: The HDFS Web UI may not support unauthenticated access unless explicitly configured. 2. Steps to Resolve Step 1: Verify Kerberos Configuration Check the Kerberos principal and keytab file paths for HDFS in Cloudera Manager: Navigate to HDFS Service > Configuration. Look for settings like: hadoop.security.authentication → Should be set to Kerberos. dfs.namenode.kerberos.principal → Should match the principal defined in the KDC. dfs.namenode.keytab.file → Ensure the file exists on the NameNode and has correct permissions. Step 2: Validate Kerberos Ticket Check if the HDFS service has a valid Kerberos ticket: klist -kte /path/to/hdfs.keytab If missing, reinitialize the ticket: kinit -kt /path/to/hdfs.keytab hdfs/<hostname>@<REALM> Test HDFS access from the command line: hdfs dfs -ls / If you get authentication errors, the Kerberos ticket might be invalid.   Step 3: Validate HDFS Web UI Access Post-Kerberos, accessing the HDFS Web UI (e.g., http://namenode-host:50070) often requires authentication. By default: Unauthenticated Access: May be blocked. Browser Integration: Ensure your browser is configured for Kerberos authentication or the UI is set to allow unauthenticated users. Enable unauthenticated access in Cloudera Manager (if needed): Go to HDFS Service > Configuration. Search for hadoop.http.authentication.type and set it to simple. Step 4: Review Logs for Errors Check NameNode logs for Kerberos-related errors: less /var/log/hadoop/hdfs/hadoop-hdfs-namenode.log Look for errors like: "GSSException: No valid credentials provided" "Principal not found in the keytab" Step 5: Synchronize Clocks Kerberos is sensitive to time discrepancies. Ensure all nodes in the cluster have synchronized clocks ntpdate <NTP-server> Step 6: Restart Services Restart the affected HDFS services via Cloudera Manager after making changes: Restart NameNode, DataNode, and HDFS services. Test the status of HDFS hdfs dfsadmin -report 3. Confirm Resolution Verify HDFS functionality: Test browsing HDFS via the CLI: hdfs dfs -ls /   Access the Web UI to confirm functionality: http://<namenode-host>:50070 If HDFS is working via CLI but not in the Web UI, revisit the Web UI settings in Cloudera Manager to allow browser access or configure browser Kerberos support. 4. Troubleshooting Tips If the issue persists: Check the Kerberos ticket validity with: klist Use the following commands to troubleshoot connectivity: hdfs dfs -mkdir /test hdfs dfs -put <local-file> /test Let me know how it goes or if further guidance is needed! ... View more

@rizalt  Can you share your layout of the 18 hosts to better understand where the issue could be emanating from? The issue you are experiencing, where shutting down 8 DataNodes causes both NameNodes in your high availability (HA) configuration to go down, likely points to Quorum loss in the JournalNodes or insufficient replicas for critical metadata blocks. The NameNodes in HA mode rely on JournalNodes for shared edits. For the HA setup to function correctly, the JournalNodes need a quorum (more than half) to be available. With 5 JournalNodes, at least 3 must be operational. If shutting down 8 DataNodes impacted the connectivity or availability of more than 2 JournalNodes, the quorum would be lost, causing both NameNodes to stop functioning. If shutting down 8 DataNodes reduces the number of replicas below the replication factor (typically 3), the metadata might not be available, causing the NameNodes to fail. Please revert ... View more

@pravin_speaks  I see some typo error  in the oracle create table stmt create table schema.ABC(account_id decimal(28,0), "1234" decima;(28,0)) ; Is that the exact copy and paste ?? Geoffrey ... View more

@Alf015  Can you share in what context  standalone? Package with HDP or CDP etc. This will give a better understanding on maybe how to replicate your environment and enable us to help resolve your issue. Thank you ... View more

@rizalt  Can you share the OS ,OS version and HDP version you are trying to Kerberize? I don't have a dump of HDP binaries though. I would like to reproduce and share the steps.? I suggest starting afresh so delete/destroy the current KDC as the root user or sudo the following steps are specific to  ubuntu  re-adapt for appropriate OS # sudo  kdb5_util -r HADOOP.COM destroy Accept with a "Yes" Now create a new Kerberos database Complete remove Kerberos $ sudo apt purge -y krb5-kdc krb5-admin-server krb5-config krb5-locales krb5-user krb5.conf  $ sudo rm -rf /var/lib/krb5kdc Do a refresh installation First, get the FQDN of your kdc server for this example # hostanme -f  test.hadoop.com Use the above output for a later set up # apt install krb5-kdc krb5-admin-server krb5-config Proceed as follow At the prompt for the Kerberos Realm = HADOOP.COM Kerberos server hostname = test.hadoop.com Administrative server for Kerberos REALM = test.hadoop.com Configuring krb5 Admin Server # krb5_newrealm Open /etc/krb5kdc/kadm5.acl it should contain a line like this */admin@HADOOP.COM * The kdc.conf should be adjusted to look like this [kdcdefaults]  kdc_ports = 88  kdc_tcp_ports = 88 [realms]  HADOOP.COM = {   #master_key_type = aes256-cts   acl_file = /var/kerberos/krb5kdc/kadm5.acl   dict_file = /usr/share/dict/words   admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab   supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal }   The krb5.conf should look like this if you are on a multi-node cluster this is the fines you will copy to all other hosts, notice the entry under domain_realm? [libdefaults]   renew_lifetime = 7d   forwardable = true   default_realm = HADOOP.COM   ticket_lifetime = 24h   dns_lookup_realm = false   dns_lookup_kdc = false   default_ccache_name = /tmp/krb5cc_%{uid}   #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5   #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5 [domain_realm]   .hadoop.com = HADOOP.COM   hadoop.com = HADOOP.COM [logging]   default = FILE:/var/log/krb5kdc.log   admin_server = FILE:/var/log/kadmind.log   kdc = FILE:/var/log/krb5kdc.log [realms]   HADOOP.COM = {     admin_server = test.hadoop.com     kdc = test.hadoop.com   }  Restart the Kerberos kdc daemons and kerberos admin servers: # for script in /etc/init.d/krb5*; do $script restart; done  Don't manually create any principle like the "ambari_hdfs-050819@HADOOP.COM" Go to the ambari kerberos wizard for the domain notice the . (dot)  kdc host = test.hadoop.com Real Name = HADOOP.COM Domains = .hadoop.com ,hadoop.com ----- kadmin host = test.hadoop.com Admin principal = admin/admin@HADOOP.COM Admin  password = password set during the creation of kdc database Now from here just accept the default the keytabs should generate successfully.  ... View more

@rizalt  Did you see the same entry in the krb5.conf that I suggested you add? [domain_realm]   .hadoop.com = HADOOP.COM   hadoop.com = HADOOP.COM In the Kerberos setup UI you should also include  HADOOP.COM , . HADOOP.COM  Check a solution I offered Error while enabling Kerberos on ambari Hope that helps ... View more

@rizalt  Make a backup of your krb5.conf and modify it like below # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true ticket_lifetime = 24h dns_lookup_realm = false dns_lookup_kdc = false default_ccache_name = /tmp/krb5cc_%{uid} #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5 #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5 [realms] HADOOP.COM = { admin_server = master1.hadoop.com kdc = master1.hadoop.com } [domain_realm] .master1.hadoop.com = HADOOP.COM master1.hadoop.com = HADOOP.COM   Then restart the KDC and retry    ... View more

@rizalt  There are a couple of things to validate. Step 1 Pre-requisites Kerberos Server: Ensure you have a Kerberos Key Distribution Center (KDC) and an administrative server set up. DNS: Proper DNS setup is required for both forward and reverse lookups. NTP: Time synchronization across all nodes using Network Time Protocol (NTP). HDP Cluster: A running Hortonworks Data Platform (HDP) cluster. Step 2:  Check your /etc/host file ensure your KDC host is assigned the domain HADOOP.COM to match your KDC credentials # hostname -f Step 3: Once that matches then edit the Kerberos configuration file (/etc/krb5.conf) on all nodes to point to your KDC you can scramble the sensitive info and share   [libdefaults] default_realm = HADOOP.COM dns_lookup_realm = false dns_lookup_kdc = false [realms] HADOOP.COM = { kdc = kdc.hadoop.com admin_server = admin.hadoop.com } [domain_realm] .hadoop.com = HADOOP.COM hadoop.com = HADOOP.COM   Step 4: Locate your kadm5.acl file and ensure it looks like this */admin@HADOOP.COM * Step 5: Restart the KDC and admin servers as root or with sudo   # systemctl restart krb5kdc # systemctl restart kadmin   Step 6: Check Kerberos Ticket: Ensure that the Kerberos ticket is obtained correctly. kinit -kt /etc/security/keytabs/hdfs.keytab hdfs/hostname@HADOOP.COM klist If your setup is correct you will see an output like below    Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: hdfs/hostname@HADOOP.COM Valid starting Expires Service principal 06/05/2024 09:50:21 06/06/2024 09:50:21 krbtgt/HADOOP.COM@HADOOP.COM renew until 06/05/2024 09:50:21 06/05/2024 09:50:22 06/06/2024 09:50:21 HTTP/hostname@HADOOP.COM renew until 06/05/2024 09:50:21 Hope that helps  ... View more

@achemeleu  Welcome Acemeleu, @DianaTorres  for pinging me on this one. I provide 2  solutions see  threads about a similar case  Ambari stuck1 Ambari.stuck2 Can you check the above solution and see if that works out for you too? In case it doesn't please can you share your HDP version, database type/version, ambari-server logs  and OS type/version, and  the brief  background of the steps you executed before getting stuck Please let us know whether that resolved your issue. Geoffrey ... View more