@Fawze AbuJaber Can you try without rebooting the AD ? ... View more

@Fawze AbuJaber Can you comment out the following in the krb5.conf by putting a pound (#) sign like below #default_tgs_enctypes = rc4-hmac #default_tkt_enctypes = rc4-hmac #permitted_enctypes = rc4-hmac Then restart the kdc server an retest. Can you also upload the krb5kdc and kadmind logs ... View more

@suraj l Have a look at this HCC document ... View more

@Fawze AbuJaber Can you explain to me the history of your setup? Cluster (hosts) and the Kerberos setup? My assumption is your target is to have a Linux based cluster but use the AD as KDC is that right? I just need to know the background to understand the current stand to be able to help better ... View more

@Fawze AbuJaber Can you make a backup and replace your krb5.conf with this file below please notice the difference! Can you make sure the supported_enctypes match your AD encryption ? [libdefaults] default_realm = LPDOMAIN.COM dns_lookup_kdc = true dns_lookup_realm = false ticket_lifetime = 86400 renew_lifetime = 604800 forwardable = true default_tgs_enctypes = rc4-hmac default_tkt_enctypes = rc4-hmac permitted_enctypes = rc4-hmac udp_preference_limit = 1 kdc_timeout = 5000 supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal [domain_realm] lpdomain.com = LPDOMAIN.COM .lpdomain.com = LPDOMAIN.COM [realms] LPDOMAIN.COM = { kdc = ropr-mng01.lpdomain.com admin_server = ropr-mng01.lpdomain.com } [domain_realm] lpdomain.com = LPDOMAIN.COM .lpdomain.com = LPDOMAIN.COM BRB ... View more

@Fawze AbuJaber Please do this instead the previous {.......} was an example, sorry I didn't elaborate! kinit -V -J-Dsun.security.krb5.debug=true -J-Djava.security.debug=true -k -t cloudera-scm@LPDOMAIN.COM.ktab cloudera-scm@LPDOMAIN.COM.ktab_Principal And can you attach the krb5.conf (Linux) and krb5.ini (windows) I need to see what values you have in there. ... View more

@Fawze AbuJaber There could be a couple of issues with your Kerberos setup. I am not familiar with the Cloudera Manager /Kerberos wizard but I have some pointers can you share your krb5.ini or conf? It seems your KDC does not support the encryption type requested. The desired encryption types are specified in the following tags in the Kerberos Configuration file krb5.ini or conf: [libdefaults] Enable debug by running the below kinit where xxx.ktab and xxx.ktab_Principal is the principal,you can get the values using klist kinit -J-Dsun.security.krb5.debug=true -J-Djava.security.debug=true -k -t xxx.ktab {xxx.ktab_Principal} Please let me know ... View more

@Fawze AbuJaber Can you change the below from the current "authentication" to "privacy" core-site.xml hadoop.rpc.protection = privacy hdfs-site.xml dfs.encrypt.data.transfer=true Does the Cluster have custom java classes and dependences? If so include them Have a look at this jira https://issues.apache.org/jira/browse/AMBARI-8174 You may need to configure both dfs.data.transfer.protection and hadoop.rpc.protection to specify QOP for rpc and data transfer protocols. In some cases, the values for these two properties will be same. In those cases, it may be easier to allow dfs.data.transfer.protection default to hadoop.rpc.protection.This also ensures that an admin will get QOP as Authentication if admin does not specify either of those values. The restart the datanode after the 2 changes in the core / hdfs site .xml ... View more

@Fawze AbuJaber I see "STARTUP_MSG: version = 2.6.0-cdh5.13.0 " is this a cloudera cluster ? Curiously I contribute in cloudera community and I see you opened also a thread in http://community.cloudera.com/t5/Storage-Random-Access-HDFS/Unable-to-Start-DataNode-in-kerberos-cluster/m-p/61210 Could you be precise on the distribution so you can get better help? ... View more