@bgooley Thanks!.  I just groomed all krb5.* files on all hosts and re-enable the kerberos through CM where it can regenerate all missing credentials including managing krb. This time I gave freehand to CM to create individual service princiaples to various services(hdfs, hive, hue, etc.) instead of existing service principle (a system user).  This time Zookeeper started successfully but not HDFS. The HttpFS is also started in HDFS. I can't see any errors but can see WARNINGS in log file     CredentialManager kt_renewer WARNING Couldn't kinit as 'HTTP/xxx.xx.com' using /run/cloudera-scm-agent/process/1330-hdfs-HTTPFS/httpfs.keytab --- kinit: Client 'HTTP/xxx.xx.xxx.xx@xx.xx.xx' not found in Kerberos database while getting initial credentials     ... View more

I am also facing similar issue. Without kerberos all the services are running properly but when I try to kerberized the cluster with AD external authentication, the CM's wizard took me properly until stopping the cluster but when the cluster is restarting I am facing the issues in first step of hdfs dependency .. zookeeper Unexpected exception, exiting abnormally java.io.IOException: Could not configure server because SASL configuration did not allow the ZooKeeper server to authenticate itself properly: javax.security.auth.login.LoginException: Client not found in Kerberos database (6) at org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(ServerCnxnFactory.java:207) at org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:87) at org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(QuorumPeerMain.java:135) at org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:116) at org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:79)  we have generated credentials for common/single user for entire cluster services..  Any idea whats the issue.. ... View more

When CM is set to managing services, its central source of configs lie within the DB. For every time a role instance is spawned, the config is generated into a special (non-/etc/…) path and the service is started with the special config dir. You could do an ls -l /var/run/cloudera-scm-agent/process on any host to see this, for example (the same files are available in the UI under any instance's Processes tab). So even if you remove the packages, CM faces no impact since it still has the Parcel location now for the actual binaries, and the configs are within its DB, away from being affected by RPM removals. source: https://community.cloudera.com/t5/Cloudera-Manager-Installation/Package-installs-detected-on-host-with-parcel/td-p/32442 ... View more