@forest lin The kdc.conf looks fine, but your initial and final krb5.conf don't look correct you forgot to add the entry in lowercase see below !. Please backup of your current krb5.conf on all the hosts and replace them with the below exactly as it is. [libdefaults] renew_lifetime = 7d forwardable = true default_realm = ABC.COM ticket_lifetime = 24h dns_lookup_realm = false dns_lookup_kdc = false default_ccache_name = /tmp/krb5cc_%{uid} #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5 #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5 [domain_realm] abc.com = ABC.COM .abc.com = ABC.COM [logging] default = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log kdc = FILE:/var/log/krb5kdc.log [realms] ABC.COM = { admin_server = nn1-dev1-tbdp kdc = nn1-dev1-tbdp } Did you re-run the below to correctly setup the KDC and KDC Admin hostnames dpkg-reconfigure krb5-kdc Can you also validate that the host entries on all the hosts are the same and include the KDC server host entry? What the content of your kadm5.acl file? On the KDC server can you paste the output of the below command. Please obscure the domain name # kdestroy # kadmin.local Authenticating as principal root/admin@ABC.COM with password. kadmin.local: listprincs After validating and changing the above restart the services service krb5-kdc restart service krb5-admin-server restart Don't forget to enable auto-restart of kdc and kadmin use appropriate ubuntu command chkconfig krb5kdc on chkconfig kadmin on Now try the Ambari--> Kerberos wizard again it should succeed The logs are in these directories on the KDC and Clients default = /var/log/krb5kdc.log admin_server = /var/log/kadmind.log kdc = /var/log/krb5kdc.log Please revert ... View more

@Sam Red There could be a couple of reasons here. First make sure the KDC and Kadmin is running assuming you are on RHEL/Centos7 Check the current status these 2 deamons should be running # systemctl status krb5kdc.service # systemctl status kadmin.service If they are not running please, enable them so at next reboot they autostart # systemctl enable kadmin.service # systemctl enable krb5kdc.service Start the services # systemctl start krb5kdc.service # systemctl start kadmin.service As the root user check that the principals are in the KDC database # kadmin.local Authenticating as principal root/admin@RELAY.COM with password. kadmin.local: listprincs First forcefully expire the current kerberos credentials, log on as user hdfs or whatever # kdestroy Validate that no credentials are cached # klist klist: No credentials cache found (filename: /tmp/krb5cc_0) To see what keytab entries in that keytab file, use klist # klist -kte /etc/security/keytabs/spnego.service.keytab Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (aes256-cts-hmac-sha1-96) 1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (des-cbc-md5) 1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (arcfour-hmac) 1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (aes128-cts-hmac-sha1-96) 1 08/24/2017 15:42:23 HTTP/hostname@RELAY.COM (des3-cbc-sha1) The grab a valid kerberos using the info above # kinit -kt /etc/security/keytabs/spnego.service.keytab HTTP/hostname@RELAY.COM Now retry ... View more