@harish Create the test user principal Let's try this out as root create user at OS level # useradd test Set password # passwd test evoke the kdc admin CLI, run these commands from /etc/security/keytabs # kadmin.local .. kadmin.local: addprinc test@RXPERF.HDP.XX.COM Quit kadmin Kadmin.local: q Extract/Generate the keytab The extracting the keytab is done in the ktutil shell cmd a continuation from the previous step the keytab name and principal is an explicit input it’s usually good if it matches the user for easy identification. This will extract the keytab in the current directory i.e /etc/security/keytabs/ you can later move it to the user’s home directory or the /tmp directory #sudo ktutil ktutil : addent –password –p test@RXPERF.HDP.XX.COM -k 1 -e RC4-HMAC Password for test@RXPERF.HDP.XX.COM : ktutil : wkt test.keytab ktutil : q Now to validate the above steps run as the user test $ klist -kt /etc/security/keytabs/test.keytab The output should look like Keytab name: FILE:/etc/security/keytabs/test.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 01/07/19 22:25:31 test@RXPERF.HDP.XX.COM (des3-cbc-sha1) 1 01/07/19 22:25:31 test@RXPERF.HDP.XX.COM (aes128-cts-hmac-sha1-96) 1 01/07/19 22:25:31 test@RXPERF.HDP.XX.COM (arcfour-hmac) 1 01/07/19 22:25:31 test@RXPERF.HDP.XX.COM (des-cbc-md5) 1 01/07/19 22:25:31 test@RXPERF.HDP.XX.COM (aes256-cts-hmac-sha1-96) Now grab a ticket using as test user format kinit -kt $keytab $principal $ kinit -kt /etc/security/keytabs/test.keytab test@RXPERF.HDP.XX.COM Check for ticket Klist Let me know if that works ... View more

@harish Can you share with me exactly how you created the new principal and keytab? I would like to see the syntax remember to garble sensitive info. Also remember to add a new entry in the cron kprop to also propagate the newly create principal in the slave KDC database to the Primary so in case you switch back everything is in sync !! ... View more

@harish Was the creation successful without errors? If so can you list the principals in the slave KDC On the slave # kadmin.local kadmin: listprincs Is your slave KDC also in the krb5.conf? In the format. [realms] EXAMPLE.COM = { ... kdc = kdc1.example.com kdc = kdc2.example.com ... } Because multiple KDCs may exist for an installation (failover, high availability, etc, Ambari should allow a user to specify multiple KDC hosts to be set while enabling Kerberos and updating the Kerberos service's configuration. This should be done by allowing kerberos-env/kdc_host to accept a (comma-)delimited list of hosts and then parsing that list properly when building the krb5.conf file where each kdc_host item generates an entry in the relevant realm block kerberos-env And in Ambari your kerberos.env should have an entry the { ... "kdc_hosts" : "kdc1.example.com, kdc2.example.com" ... } Some Ambari KDC documentation To backup a KDC database to a file, use krb5_util_dump. # kdb5_util dump kdcfile To restore the KDC database from the dump file created in the above step, do the following: # kdb5_util load kdcfile Please revert ... View more

@choppadandi vamshi krishna After successfully running the --mpack you will need to go to the bottom left of the Ambari UI and click on Stack and Version, for illustration see the attached screenshot. Nifi and Nifi Registry should be available for installation. You should be able to proceed with the nifi setup and choose whether you want it clustered or a single node. In my example, I added a 6 node cluster to an existing HDP cluster. Follow the screen flow at the end of the installation and restart of the nifi services you should see all the Nifi node in your Ambari UI. I would advise you don't install the Certificate authority which will mean all login will be anonymous. Setting the Certificates needs access to the AD or creating the first Admin user who is the Nif superuser to create and grant privileges in Nifi HTH ... View more

@huzaira bashir Can you share the corresponding to my screenshots photo5 and 6 , I built a VM to test your case and documented all the steps over the weekend and I am surprised it can't work for you. Is Java Cryptography Extension (JCE) installed, check the syntax below please adjust your jdk_home accordingly # zipgrep CryptoAllPermission /usr/jdk64/jdk1.8.0_112/jre/lib/security/local_policy.jar The desired output should be default_local.policy: permission javax.crypto.CryptoAllPermission; ... View more

@Vinay Nice it worked out but the solution wasn't far! ... View more

@Michael Bronson This is how to set the parameters (in decreasing order of priority) that you can set in your Kafka broker properties file: # Configures retention time in milliseconds log.retention.ms=1680000 # Used if log.retention.ms is not set log.retention.minutes=1680 # Used if log.retention.minutes is not set log.retention.hours=168 Also see jay's comments !! ... View more

@Michael Bronson What config did you change? If its custom did you use the Custom kafka-broker config? It's usually a good idea to give as much info as possible, it's easier to act otherwise you will exchange postings without any useful outcome. ... View more

@huzaira bashir Please follow the steps and update this thread, I am sure there is a step you missed follow page by page. On your screenshot I didn't see the Domain ... View more