Hey @Deepak Sharma, Looks like the connectivity between Knox server and HiveServer2 (HS2) is broken. So, 1. Have you checked that Beeline works fine without Knox & using HS2 (over SSL) directly? 2. Also after enabling SSL for Hive, you need to establish trust between Knox service and HS2 by importing their certificates into each other's truststore. Have you done this? These two should definitely give you some breakthrough. Let us know ! ... View more

Hello @Balaji Badarla, From the attached error log, it looks like some principal is not found in the Kerberos database. This could be because the correct principal name not getting formed. Can you please change the auth-to-local rules to these: 1. On HORTONWORKS.COM realm: RULE:[1:$1@$0](ambari-qa-dr@HORTONWORKS.COM)s/.*/ambari-qa/ RULE:[1:$1@$0](hdfs-dr@HORTONWORKS.COM)s/.*/hdfs/ RULE:[1:$1@$0](.*@HORTONWORKS.COM)s/@.*// RULE:[2:$1@$0](amshbase@HORTONWORKS.COM)s/.*/ams/ RULE:[2:$1@$0](amszk@HORTONWORKS.COM)s/.*/ams/ RULE:[2:$1@$0](dn@HORTONWORKS.COM)s/.*/hdfs/ RULE:[2:$1@$0](jhs@HORTONWORKS.COM)s/.*/mapred/ RULE:[2:$1@$0](jn@HORTONWORKS.COM)s/.*/hdfs/ RULE:[2:$1@$0](nm@HORTONWORKS.COM)s/.*/yarn/ RULE:[2:$1@$0](nn@HORTONWORKS.COM)s/.*/hdfs/ RULE:[2:$1@$0](rm@HORTONWORKS.COM)s/.*/yarn/ RULE:[2:$1@$0](yarn@HORTONWORKS.COM)s/.*/yarn/ RULE:[1:$1@$0](ambari-qa-primary@EXAMPLE.COM)s/.*/ambari-qa/ RULE:[1:$1@$0](hdfs-primary@EXAMPLE.COM)s/.*/hdfs/ RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*// RULE:[2:$1@$0](amshbase@EXAMPLE.COM)s/.*/ams/ RULE:[2:$1@$0](amszk@EXAMPLE.COM)s/.*/ams/ RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/ RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](nfs@EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](nm@EXAMPLE.COM)s/.*/yarn/ RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/ RULE:[2:$1@$0](yarn@EXAMPLE.COM)s/.*/yarn/ RULE:[2:$1@$0](.*@EXAMPLE.COM)s/@.*// DEFAULT 2. On EXAMPLE.COM realm: RULE:[1:$1@$0](ambari-qa-primary@EXAMPLE.COM)s/.*/ambari-qa/ RULE:[1:$1@$0](hdfs-primary@EXAMPLE.COM)s/.*/hdfs/ RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*// RULE:[2:$1@$0](amshbase@EXAMPLE.COM)s/.*/ams/ RULE:[2:$1@$0](amszk@EXAMPLE.COM)s/.*/ams/ RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/ RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](nfs@EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](nm@EXAMPLE.COM)s/.*/yarn/ RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/ RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/ RULE:[2:$1@$0](yarn@EXAMPLE.COM)s/.*/yarn/ RULE:[1:$1@$0](ambari-qa-dr@HORTONWORKS.COM)s/.*/ambari-qa/ RULE:[1:$1@$0](hdfs-dr@HORTONWORKS.COM)s/.*/hdfs/ RULE:[1:$1@$0](.*@HORTONWORKS.COM)s/@.*// RULE:[2:$1@$0](amshbase@HORTONWORKS.COM)s/.*/ams/ RULE:[2:$1@$0](amszk@HORTONWORKS.COM)s/.*/ams/ RULE:[2:$1@$0](dn@HORTONWORKS.COM)s/.*/hdfs/ RULE:[2:$1@$0](jhs@HORTONWORKS.COM)s/.*/mapred/ RULE:[2:$1@$0](jn@HORTONWORKS.COM)s/.*/hdfs/ RULE:[2:$1@$0](nm@HORTONWORKS.COM)s/.*/yarn/ RULE:[2:$1@$0](nn@HORTONWORKS.COM)s/.*/hdfs/ RULE:[2:$1@$0](rm@HORTONWORKS.COM)s/.*/yarn/ RULE:[2:$1@$0](yarn@HORTONWORKS.COM)s/.*/yarn/ RULE:[2:$1@$0](.*@HORTONWORKS.COM)s/@.*// DEFAULT Please note that I've changed the "*" rules in both of them. Please try with these and let us know. If you still see any Kerberos error, please set these & then run distcp command: export HADOOP_OPTS="$HADOOP_OPTS -Dsun.security.krb5.debug=true" export HADOOP_ROOT_LOGGER=DEBUG,console Hope this helps ! ... View more

Thanks @mvaradkar for writing this. This is a good find & useful info ! ... View more

Hello @Said Masoud, I don't understand why you are trying to sync using REST API & curl. I'd rather use 'ambari-server sync-ldap -all -v' to sync all the users and groups. I don't know how to make this curl call work, can you please try this command & let us know. Hope this helps ! ... View more

@Said Masoud Ambari does work with Windows Server 2012 and we have done that multiple times in past. If you are using Windows Server 2012 with Ambari for user sync, then you are not using the correct AD user attribute name and also trying to bind anonymously. Please use a correct bind DN and password to successfully bind to AD server. Your properties should look like these (Similar to what @Jay SenSharma has given but with correct AD user attribute name): authentication.ldap.baseDn=ou=Users,ou=corporate,dc=example,dc=com (this should NOT be a top level DC of your AD) authentication.ldap.bindAnonymously=false authentication.ldap.dnAttribute=distinguishedName authentication.ldap.groupMembershipAttr=member authentication.ldap.groupNamingAttr=name authentication.ldap.groupObjectClass=group authentication.ldap.primaryUrl=<redacted>:389 authentication.ldap.referral=ignore authentication.ldap.secondaryUrl=<redacted>:389 authentication.ldap.useSSL=false authentication.ldap.userObjectClass=user authentication.ldap.usernameAttribute=sAMAccountName authentication.ldap.managerDn=cn=bind-user,ou=Users,ou=corporate,dc=example,dc=com authentication.ldap.managerPassword=... A better way to set this up is via 'setup-ldap' command (which also takes care of hiding the bind DN's password) like this: # ambari-server setup-ldap \ --ldap-url=<ad-host-fqdn>:389 \ --ldap-secondary-url= \ --ldap-ssl=false \ --ldap-base-dn=ou=Users,ou=corporate,dc=example,dc=com \ --ldap-manager-dn=cn=bind-user,ou=Users,ou=corporate,dc=example,dc=com \ --ldap-bind-anonym=false \ --ldap-dn=distinguishedName \ --ldap-member-attr=member \ --ldap-group-attr=cn \ --ldap-group-class=group \ --ldap-user-class=user \ --ldap-user-attr=sAMAccountName \ --ldap-save-settings \ --ldap-bind-anonym=false \ --ldap-referral=ignore Hope this helps ! ... View more

Hello @Saurabh, If you look the error message closely, it says 'No service creds'. Since you are running hadoop command, this most probably means that the NameNode service keytab is either missing or not good. For both the cases, please check NameNode log for any error during service startup. To verify the service keytabs, try running these on NameNode: su - hdfs kinit -kt /etc/security/keytabs/nn.service.keytab nn/<nn-host-fqdn>@REALM The last command should give you a correct TGT for NN service principal, that would show that NN service keytab is good. Lastly, you can try to regenerate the keytabs for all the services. Hope this helps ! ... View more

A2A @Ayub Khan and @sshivaprasad. Thanks guys. ... View more

Hello @rahul gulati, Here's what you need to do: 1. Set up your own CA using openssl 2. On each Hadoop service node (NN, DN, YARN RM, NM etc.) : a. generate a key pair into 'server-keystore.jks' and export public cert into file b. Get this public cert signed by CA keys c. Import the signed-cert back into 'server-keystore.jks' d. Import CA's public cert into a new 'server-truststore.jks' 3. On each edge node (where only Hadoop clients are supposed to run): a. Import CA's public cert into a new 'client-truststore.jks' Above should give you a fair idea of what should go where. Mind you, this only covers SSL infrastructure. This is assuming that you will do the rest of the Hadoop SSL configuration along with these. Hope this helps! ... View more

Hello @Anwaar Siddiqui, I believe there is problem with the group sync setting in the Ranger configuration. To confirm that, we need to see if the LDAP query for group using these parameters are working or not. Can you please run this query and share the output with us? ldapsearch -x -H ldap://xyz:389 -D "cn=Manager,dc=bigdatdomain,dc=com" -W -b "dc=bigdatdomain,dc=com" "(&(objectclass=groupofnames)(cn=*))" Hope this helps ! ... View more