Hello @Saurabh, If you look the error message closely, it says 'No service creds'. Since you are running hadoop command, this most probably means that the NameNode service keytab is either missing or not good. For both the cases, please check NameNode log for any error during service startup. To verify the service keytabs, try running these on NameNode: su - hdfs kinit -kt /etc/security/keytabs/nn.service.keytab nn/<nn-host-fqdn>@REALM The last command should give you a correct TGT for NN service principal, that would show that NN service keytab is good. Lastly, you can try to regenerate the keytabs for all the services. Hope this helps ! ... View more

@subash sharma Glad that the issue is resolved. Please close the loop by accepting the answer. ... View more

I had same problem "ranger can sync users with ldap but can't login to ranger UI with ldap password." Finally I could solved this problem, so, let me share lessons learned and how I solved to help you guys who has same problem as I faced. lessons learned 1. We have to configure ranger admin to speak ldaps protocol if we want to use ldaps for user authentication. paramaters in ranger-admin-site: ranger.truststore.file, ranger.truststore.password I had to import self-signed CA from LDAP team to "/etc/ranger/admin/conf/ranger-admin-keystore.jks". Set password which I specified for this import to "ranger.truststore.password". Command example: keytool -importcert -alias rangeradmin -noprompt -trustcacerts -file ./ca.crt -keystore /etc/ranger/admin/conf/ranger-admin-keystore.jks -storepass xasecure ref: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_security/content/configure_non_ambari_ranger_ssl_self_signed_cert_admin.html 2. setting syncing user info with ldap and setting to use ldap for authentication are technically different. For example, we can use ldap authentication for ranger UI login even when we disable "Enable User Sync". In other words, we can use ldap authentication when "Ranger Usersync" service is not running. 3. debug logs from "org.springframework" and "org.apache.ranger" were very useful for the trouble shooting. We can change the log level with "admin-log4j.xml". log4j.category.org.springframework=debug,xa_log_appender log4j.category.org.apache.ranger=debug,xa_log_appender 4. Here are the key configurations for ldap authentication (not for user sync with ldap.) Authentication method: LDAP LDAP URL: ldaps://xxxxxx User Search Filter: (uid={0}) Group Search Filter: (member=uid={0},ou=xxxxx,o=xxxxx) ranger.ldap.user.dnpattern: uid={0},ou=xxxxx,o=xxxxx ranger.truststore.file: /etc/ranger/admin/conf/ranger-admin-keystore.jks <= in case with ldaps. ranger.truststore.password: xasecure <= in case with ldaps. this is the passwoed you set when you import ca to jks. I hope, this memo help guys who have same problem as I faced 🙂 ... View more

The purpose of renewable tickets was missed in the provided answers - one renews a ticket in order to avoid the authentication process again. You can issue a renewal request (without authenticating) up until renew_lifetime. Use klist to see the valid/expire/renew timestamps. ... View more

Hi Ayub, As described in the step 1, Is it required to create some random ids "id":"-11893021824425525" for this json request to be successful. ... View more

Thanks @Vipin Rathor, The latest snadbox works. ... View more

Would like to disable Kerberos security for Kafka but not for NIFI, any good documentation available to help? ... View more

In my config zeppelin working with kerberos ) ... View more

Thank you @Rahul Buragohain for letting us know. Please select any best answer for the others to follow how this problem was fixed. Thanks. ... View more