@kasa  Can you share a scrambled version of your krb5.conf from both clusters and the auth-to_local of both clusters When copying data from a secure cluster to a secure cluster, the following configuration setting is required in the core-site.xml file:   <property> <name>hadoop.security.auth_to_local</name> <value></value> <description>Maps kerberos principals to local user names</description> </property>   Secure-to-Secure: Kerberos Principal Name Assign the same principle name to applicable NameNodes in the source and destination clusters.   distcp hdfs://hdp-2.0-secure hdfs://hdp-2.0-secure   The SASL RPC client requires that the remote server’s Kerberos principal must match the server principal in its own configuration. Therefore, the same principal name must be assigned to the applicable NameNodes in the source and the destination cluster. For example, if the Kerberos principal name of the NameNode in the source cluster is nn/host1@realm, the Kerberos principal name of the NameNode in destination cluster must be nn/host2@realm, rather than nn2/host2@realm.   Secure-to-Secure: ResourceManager mapping rules When copying between two HDP2 secure clusters, further ResourceManager (RM) configuration is required if the two clusters have different realms. Can you share your hadoop.security.auth_to_local on both clusters, in order for DistCP to succeed, the same RM mapping rule must be used in both clusters. I am assuming the REALMS are TEST.COM and DEV.COM for cluster 1 and 2 respectively   <property> <name>hadoop.security.auth_to_local</name> <value> RULE:[2:$1@$0](rm@.*CLUSTER1.TEST.COM)s/.*/yarn/ RULE:[2:$1@$0](rm@.*CLUSTER2.DEV.COM)s/.*/yarn/ DEFAULT </value> </property>   Can you try that and revert     ... View more

@kasa    Disctcp is used for inter/Intracluster copy but the command you are running is not wrong because you need the source and destination NameNodes. $ hadoop distcp /user/home/test.txt /tmp/ The most common use of DistCp is an inter-cluster copy, where you copy from NameNode1[nn1] to Namenode2[nn2] on 2 different clusters and both clusters should be up and running during the process $ hadoop distcp hdfs://nn1:8020/source hdfs://nn2:8020/destination Where hdfs://nn1:8020/source is the data source, and hdfs://nn2:8020/destination is the destination. This will expand the namespace under /source on NameNode "nn1" into a temporary file, partition its contents among a set of map tasks, and start copying from "nn1" to "nn2". Note that DistCp requires absolute paths.   Personally I think you should use CopyToLocal instead as according to my understanding you are trying to copy a file from hdfs to you local tmp directory   Assuming your directory /user/home/ is in hdfs and you are running the command as HDFS user! This will copy the test.txt from hdfs to local /tmp directory   $ hdfs dfs -copyToLocal /user/home/test.txt /tmp/ And to successfully copy between 2 kerberized cluster you should perform the Kerberos cross-realm trust for distcp it's simple to setup just follow the guide and you will be fine   Please let me know if my assumption is correct   ... View more

@Arun66  unfortunately with such a vague and incomplete log, we can't help much. Questions? CDH or HWX Shar e the logs? Share the command being executed? Kerberized or not And any indo you deem important   Happy hadooping   ... View more

@berti    Good to know it's resolved usually upgrading a cluster doesn't reset the hostnames in /etc/hosts? AWS internal IPs are for AWS inter datacenter communication  to expose the hosts you definitely need the public (external) IP's   Happy hadooping   ... View more

@berti  The first reflex is to regenerate the principals following the below steps   Review and regenerate the Kerberos principals for your cluster: Select   Administration   >   Kerberos . The currently configured Kerberos principals are displayed. If you are running HDFS, the   hdfs/hostname   and   host/hostname   principals are listed. If you are running MapReduce, the   mapred/hostname   and   host/hostname   principals are listed. The principals for other running services are also listed. Only if necessary, select the principals you want to regenerate. Click   Regenerate. I have also noticed a discrepancy in the 2 principals I hope it was not a human error while you are trying to mask your real principals user hdfs/hdfs/datanode-fqdn@REALM (auth:KERBEROS user hdfs/datanode-fqdn@REALM (auth:KERBEROS) This also appears in the logs Connection from 172.17.98.94:27869 for protocol org.apache.hadoop.hdfs.server.protocol.DatanodeProtocol is unauthorized for user hdfs/hdfs/datanode-fqdn@REALM (auth:KERBEROS)     Connection from 172.17.98.96:39391 for protocol org.apache.hadoop.hdfs.server.protocol.DatanodeProtocol is unauthorized for user hdfs/datanode-fqdn@REALM (auth:KERBEROS)   Could you check that and revert.       ... View more