@Avijeet Dash For versions before Ambari 2.4.0, @Vipin Rathor's answer is correct. For Ambari 2.4.0 (and later), Ambari will do this for you when Kerberos is enabled. ... View more

@Sanjib Behera After enabling Kerberos via Ambari, some of the UI's are configured to require Kerberos authentication where others are not. I am not sure why not all of them are changed, but that is the way it is for now. The Hadoop UIs (HDFS, Yarn, etc...), for example, do not have Kerberos enabled by default - though there are directions on how to do it manually. That said, once Kerberos authentication is required by a (web-based) UI, you cannot simply point your web browser at them. There are a few additional steps needed to enabled your the web browser to send Kerberos tokens. Each browser has a different set of instructions on how to do this. See https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Kerberos-NTLM for some instruction on this. However in general you need to do the following: Configure your local machine to communicate with the relevant KDC On your local machine, kinit (or similar facility) as some Kerberos identity Open your web browser (you may need to close and re-open your web browser for it to acknowledge the Kerberos ticket cache) Update the settings in your web browser to enable Kerberos authentication (see the link posted above) Browse to the protected URL ... View more

@Sanjib Behera The ACL file for the MIT KDC package on Ubuntu is typically at /etc/krb5kdc/kadm5.acl and should contain the following line to ensure the admin user has the ability to manage accounts in the KDC : */admin@XXX.COM * If this is set properly, then I would think that you should have no issues. Attached is my kdc install script for Ubuntu. Maybe it will help? install-kdc-ubuntush.txt If you make any changes to kadm5.acl file, be sure to restart both the krb5-admin-server and the krb5-kdc services. service krb5-kdc restart service krb5-admin-server restart ... View more

It appears you have a configuration issue in your krb5.conf and kdc.conf files. I assume you are setting up an MIT KDC which is outside the scope of Ambari or HDP. Have you tried following the MIT KDC install docs like the one at https://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html? To help to get going, here is a KDC installation script that I use for installing on CentOS. It creates a realm named EXAMPLE.COM with an admin user - principal: admin/admin@EXAMPLE.COM; password: hadoop install-kdcsh.txt ... View more

3. (LDAP uri) The use of secure ldap (ldaps) is required her Thanks for pointing this out. In a future version of Ambari, LDAPS will be a hard requirement by both the UI and the backend logic. For now (Ambari 2.4.0 and below) this is a documented requirement. ... View more

@Kuldeep Kulkarni, In the auth-to-local rule set examples, DEFAULT should be the last rule. Also, this is a bit more than setting up the trust relationship between two MIT KDCs. It also includes some details about allowing two clusters to access each other's data. To do this, I believe that there are a few more steps. See https://community.hortonworks.com/articles/18686/kerberos-cross-realm-trust-for-distcp.html ... View more

@Satish Bomma I think the installation for this is not too complex. The MIT KDC install easy with potentially little to do - depending on your security needs. Once the KDC is installed, and admin user needs to be created and you are done. Here is a script for Centos that installs a KDC - install-kdcsh.txt Then the trust relationship need to be created. This is about 3 command line calls on the Active Directory host and 1 on the MIT KDC host. Finally Ambari need to know about the Active Directory as well as the local KDC. This is done by adding a _realm_ block to the krb5.conf template and adding the Active Directory's realm to a text box labeled "Additional Realms" while enabling Kerberos. ... View more

Then it appears that things are looking pretty good. Is the alert still appearing? It may have been a hiccup where multiple threads were attempting to refresh that cache at the same time. I think in older versions of Ambari this was a problem every-so-often. What version of Ambari are you using? ... View more

Another source for master/slave configuration is https://web.mit.edu/kerberos/krb5-1.12/doc/admin/install_kdc.html ... View more