About DianaTorres

9een · ‎01-10-2026

@scala_ FYI ➤ It appears you have performed an exhaustive verification of the standard Kerberos and HBase configurations. The "GSS initiate failed" error in a Kerberized HBase environment, especially when standard connectivity and ticket validation pass, often points to subtle mismatches in how the Java process handles the security handshake or how the underlying OS interacts with the Kerberos libraries. ➤ Based on the logs and environment details you provided, here are the most likely remaining causes for this issue: 1. Java Cryptography Extension (JCE) and Encryption Types While you confirmed support for AES256 in krb5.conf, the Java Runtime Environment (JRE) itself may be restricting it. -The Issue: Older versions of Java 8 require the JCE Unlimited Strength Jurisdiction Policy Files to be manually installed to handle 256-bit encryption. If the Master is sending an AES256 ticket but the RegionServer's JVM is restricted, the GSS initiation will fail. -The Fix: Ensure the JCE policy files are installed, or if using a modern OpenJDK, ensure the java.security file allows all encryption strengths. You can also try restricting permitted_enctypes in krb5.conf to aes128-cts-hmac-sha1-96 temporarily to see if the connection succeeds with a lower bit-rate. 2. Reverse DNS (RDNS) Mismatch Kerberos is extremely sensitive to how hostnames are resolved. -The Issue: Even with entries in /etc/hosts, Java's GSSAPI often performs a reverse DNS lookup on the Master's IP. If the IP 10.51.39.121 (from your previous logs) resolves to a different hostname (or no hostname at all) than what is in your keytab (host117), the "GSS initiate" will fail. -The Fix: Add rdns = false to the [libdefaults] section of your /etc/krb5.conf on all nodes. This forces Kerberos to use the hostname provided by the application rather than trying to resolve the IP back to a name. 3. Service Principal Name (SPN) Case Sensitivity In hbase-site.xml, the principals are often defined with _HOST placeholders. -The Issue: If hbase.master.kerberos.principal is set to hbase/_HOST@REALM, HBase replaces _HOST with the fully qualified domain name (FQDN). If your system reports the FQDN as host117.kfs.local but the Kerberos Database (KDB) only has hbase/host117@REALM, the handshake fails. -The Fix: Ensure the output of the hostname -f command exactly matches the principal stored in the keytab. 4. JAAS "Server" vs. "Client" Sections Your earlier logs mentioned: “Added the Server login module in the JAAS config file.” -The Issue: In HBase, the RegionServer acts as a Client when connecting to the Master. If your JAAS configuration only has a Server section and is missing a Client section (or if the Client section has incorrect keytab details), the RegionServer will fail to initiate the GSS context toward the Master. -The Fix: Ensure your JAAS file contains both sections, and that the Client section points to the correct RegionServer keytab/principal.

9een · ‎01-10-2026

@jkoral FYI ➤ Based on the logs provided, the checkpoint failure is caused by an authentication mismatch during the FSImage upload process, further complicated by an underlying storage type configuration issue ➤ Primary Reason: Authentication Failure (403 Forbidden) The Standby NameNode (SNN) successfully performs the checkpoint locally but fails to upload the merged fsimage back to the Active NameNode (NN). -The Error: The SNN logs report: java.io.IOException: Exception during image upload: Response: 403 (Forbidden), Message: Non-exception fault: Authentication failed. -The Mechanism: After merging the edits, the SNN attempts to POST the new image to the NN via HTTP. The NN rejects this request because it cannot verify the identity of the SNN, which is common in new clusters where Kerberos or shared secret configurations are not fully synchronized. ➤ Recommended Fixes Verify HTTP Authentication: Check the dfs.namenode.secondary.http-address and dfs.namenode.http-address settings. Ensure the hdfs user has consistent permissions across both hosts. Check Firewall/SELinux: Since this is RHEL9, ensure that the SNN can communicate with the NN on port 9870 (or 9871 if SSL is enabled).

DianaTorres · ‎12-31-2025

Here are some highlights from the month of November 42 new support questions 2124 new members WEBINAR2026 Trends in Data and AI Date: January 14, 2026 Time: 8:00 am PT | 11:00 am ET | 1600 GMT Register Now WEBINAR The Future of Agents with Private AI Watch Now Check out the FY25 Cloudera Meetup Events Calendar for upcoming & past event details! We would like to recognize the below community members and employees for their efforts over the last month to provide community solutions. See all our top participants at Top Solution Authors leaderboard and all the other leaderboards on our Leaderboards and Badges page. @MattWho @vafs @BFBounteous @akuser @PeterKa @casaui @Jaguar Share your expertise and answer some of the below open questions. Also, be sure to bookmark the unanswered question page to find additional open questions. Unanswered Community Post Components/ Labels Best Practice for configuring registry flows Apache NiFi Can Apache Hadoop run reliably inside Istio service mesh with mTLS enabled? Apache YARN How Nifi handles huge 1 TB files ? Apache NiFi LPAD/RPAD Parsing Issues Apache NiFi ConsumeKafka_2_6 leaking lot of memory in apache nifi 1.25 Apache NiFi JOLT to flatten nested JSON Apache NiFi

DianaTorres · ‎12-31-2025

Hello @PepeVo! As this is an older post, you would have a better chance of receiving a resolution by starting a new thread. This will also be an opportunity to provide details specific to your environment that could aid others in assisting you with a more accurate answer to your question. You can link this thread as a reference in your new post. Thanks.

cjervis · ‎12-29-2025

@ksmiller99 Were you able to resolve your issue? If so please mark the appropriate reply as the solution to help others in a similar situation find it in the future.

pnac03 · ‎12-20-2025

@MattWho Apologies for the delay here. I could finally try using certificates with the EKU Extensions and I do not see a similar authentication issue anymore. Thank you for the kind assistance!

VidyaSargur · ‎12-16-2025

@hshaikh, Did the response assist in resolving your query? If it did, kindly mark the relevant reply as the solution to help others find the answer more easily in the future.

DianaTorres · ‎12-10-2025

@Tituya Welcome to the Cloudera Community! To help you get the best possible solution, I have tagged our NiFi experts @MattWho @mburgess who may be able to assist you further. Please keep us updated on your post, and we hope you find a satisfactory solution to your query.

DianaTorres · ‎12-07-2025

Here are some highlights from the month of September & October 130 new support questions 9 new community articles 4031 new members WEBINAR2026 Trends in Data and AI Date: January 14, 2026 Time: 8:00 am PT | 11:00 am ET | 1600 GMT Register Now Check out the FY25 Cloudera Meetup Events Calendar for upcoming & past event details! Community Article Author Components/ Labels Cloudera Flow Management / Apache NiFi Best Practices Cookbook Matthew Burgess @mburgess Apache NiFiCloudera DataFlow (CDF) Flow Analysis Rules (enforcing Best Practices in Flow Design) Parameterize All The Things! (part 1 - Parameters and Parameter Contexts) Parameterize All The Things! (part 2 - Parameterizing Controller Service References) Parameterize All The Things! (part 3 - Parameter Providers) User Limit Factor and Minimum User Limit Percentage for a Specific Queue Ayaz Hussain @AyazHussain Apache YARN Java Garbage Collection changes in Java 11 & 17 Orlando Teixeira @orlandoteixeira Cloudera Data Platform (CDP)Cloudera Manager We would like to recognize the below community members and employees for their efforts over the last month to provide community solutions. See all our top participants at Top Solution Authors leaderboard and all the other leaderboards on our Leaderboards and Badges page. @MattWho @upadhyayk04 @ggangadharan @mburgess @Shmoo @vafs @BobKing @Frank168 @Shelton @Zainers @Jaguar @nifier Share your expertise and answer some of the below open questions. Also, be sure to bookmark the unanswered question page to find additional open questions. Unanswered Community Post Components/ Labels Hive execution stage failing in informatica - after upgrading cloudera cdp cluster Apache Hive JOLT to flatten nested JSON Apache NiFi Frequent Node Disconnects and Flow Synchronization Issues in NiFi 1.25 with3 node cluster , node-0 gets issue all the time Apache NiFi Configuration of HashiCorp Vault Paremeter Context : Error "Cannot login using Kubernetes: permission denied" Apache NiFi Nifi cannot auth using OIDC keycloak with proxy server Apache NiFi

Danyal · ‎11-24-2025

I would highly appreciate it if someone could help me with this, thanks 😞

Online	Offline
Last Visited	‎05-28-2026 07:15 PM

Member Since	‎11-17-2021 08:08 AM
Last Visited	‎05-28-2026 07:15 PM
Posts	1,154
Kudos received	239

Cloudera Community

Re: How to change the company in the profile

Re: Keycloak SSO Hive REST Catalog

Re: Error connecting to NiFi Registry from NiFi UI...

Re: How to change my Account Email Address?

Re: Cannot erase old /opt/cloudera/parcels

Re: HBASE 2 Kerberos GSS filed：RegionServer fails ...

Re: HDFS Checkpoint Status Errors

December 2025 Community Highlights

Re: Nifi 2.0 Start Problem

Re: Alternative JRE for Impala JDBC driver?

Re: Error connecting to NiFi Registry from NiFi UI...

Re: mysql upgrade post OS upgrade to RHEL 8

Re: NiFi websocket subprotocols support

October / November 2025 Community Highlights

Re: Kafka KRaft Cluster SASL Inter-Broker Authenti...