Solved,   The DNS entry was wrong ... solrs.mydomain was a CNAME and not a A Record.   Thanks again for your help!     ... View more

Ty again GeKas, i've verified haproxy configuration and its like youre example.   kinit with all principals in the keytab works without errors.   Again doing a curl on the balancer i've: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)   on server side i've this exception:   2018-03-02 19:16:05,261 DEBUG org.apache.hadoop.security.authentication.server.AuthenticationFilter: Request [https://solr.mydomain:8985/solr/] triggering authentication 2018-03-02 19:16:05,261 DEBUG org.apache.hadoop.security.authentication.server.AuthenticationFilter: Authentication exception: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:398) at org.apache.hadoop.security.token.delegation.web.DelegationTokenAuthenticationHandler.authenticate(DelegationTokenAuthenticationHandler.java:348) at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:538) at org.apache.solr.servlet.SolrHadoopAuthenticationFilter.doFilter(SolrHadoopAuthenticationFilter.java:413) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:612) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:503) at java.lang.Thread.run(Thread.java:745) Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:856) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:342) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:365) at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler$2.run(KerberosAuthenticationHandler.java:347) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.authenticate(KerberosAuthenticationHandler.java:347) ... 15 more Caused by: KrbException: Checksum failed at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:102) at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:94) at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175) at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:281) at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:149) at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:108) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:829) ... 22 more Caused by: java.security.GeneralSecurityException: Checksum failed at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:408) at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:91) at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:100) ... 28 more   ... View more

Hi GeKas Same Encryption type arcfour-hmac (ActiveDirectory): klist -ket solr.keytab Keytab name: FILE:solr.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 1 03/01/2018 16:27:50 HTTP/node1.mydomain@MYREALM (arcfour-hmac) 1 03/01/2018 16:27:50 HTTP/solrs.mydomain@MYREALM (arcfour-hmac) 1 03/01/2018 16:27:50 solr/node1.mydomain@MYREALM (arcfour-hmac)   (to be clear the node names and the realm are fake, they are just a placeholder to mask my real hosts 🙂 ) (The environment variable is for solr services)   i'm using haproxy too. Do you have a "template" for haproxy configuration maybe i'm missing something? ... View more

Thank you Michalis. ... View more

only the impala daemon. ... View more

Thanks Michalis, By deleting the impala role from a host, i need to reconfigure something ? the cluster just ignores the deleted host when the query is panned? ... View more