Thanks @Robert Levas ... View more

This preauthentication failure can happen for several reasons. Mostly we see when either the password for the relevant account in the Active Directory has changed since the keytab file was created; or the system clock is off by about 5 minutes from that of the Active Directory. Is it possible one of these 2 scenarios are in play? For that Zookeeper issue, I think you may be able to manually start Zookeeper in a permissive mode so that you can manually update the ACLs on the znodes. However I am not too familiar with this part of the equation. ... View more

Thanks Robert!! I will try the -norandkey next time. ... View more

@Geoffrey Shelton Okot Please find the link for new thread https://community.hortonworks.com/questions/246319/failed-to-connect-to-kdc-failed-to-communicate-wit.html Please guide me on this its really critical for me. ... View more

You appear to be using an Active Directory. In this case, you still want to use port 389 for LDAP and 636 for LDAPS unless there is a firewall in the way or the ports were changed on the Active Directory for some reason. That said, it is possible that SSL was not set up for your Active Directory and therefore it is not listening for LDAPS requests on port 636. Make sure that LDAPS is enabled on your Active Directory. ... View more

Usually by default the ticket expires 24 hours and cache expires 7 days. Depends on your directory services policies. Within 7 days you can do kinit -R for users. klist will show ticket and cache expiry time. Or you can use keytabs to automate ticket renewal. You don't have to kinit for hadoop services (ever), ticket renewal is managed automatically. ... View more

Can you check you hadoop.kms.authentication.kerberos.name.rules settings from kms-site.xml? Try "DEFAULT" if you have a customized setting that is invalid. You mentioned that the kms principle is changed. Can you also post your hadoop.kms.authentication.kerberos.principal and hadoop.security.auth_to_local settings from core-site.xml? ... View more

@Robert Levas Thank you for your detailed explanation. With these details, i've resolved my issue. It was a problem in my kadm5.acl. ... View more

@Manjunath P N. I am not sure of all the steps, but they should be outlined here - https://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html. ... View more

@Neha G In a kerberized cluster there are 2 types of keytabs or principals headless and service principals. Headless principals are not bound to a specific host or node and are presented like @ SRV.COM Service principals are bound to a specific service and host or node, and are presented like with syntax: /@ SRV.COM So when you initialize the hdfs.headless.keytab is as DoAs so the user will take hdfs permissions ... View more