The `var/kerberos/krb5kdc/kadm5.acl` file contents: */admin@EXAMPLE.COM * cloudera-scm@EXAMPLE.COM * flume/*@EXAMPLE.COM cloudera-scm@EXAMPLE.COM * hbase/*@EXAMPLE.COM cloudera-scm@EXAMPLE.COM * hdfs/*@EXAMPLE.COM cloudera-scm@EXAMPLE.COM * hive/*@EXAMPLE.COM cloudera-scm@EXAMPLE.COM * httpfs/*@EXAMPLE.COM cloudera-scm@EXAMPLE.COM * HTTP/*@EXAMPLE.COM cloudera-scm@EXAMPLE.COM * hue/*@EXAMPLE.COM cloudera-scm@EXAMPLE.COM * impala/*@EXAMPLE.COM cloudera-scm@EXAMPLE.COM * mapred/*@EXAMPLE.COM cloudera-scm@EXAMPLE.COM * oozie/*@EXAMPLE.COM cloudera-scm@EXAMPLE.COM * solr/*@EXAMPLE.COM cloudera-scm@EXAMPLE.COM * sqoop/*@EXAMPLE.COM cloudera-scm@EXAMPLE.COM * yarn/*@EXAMPLE.COM cloudera-scm@EXAMPLE.COM * zookeeper/*@EXAMPLE.COM   Here's  the cloudera-scm/admin principal details: kadmin.local: getprinc cloudera-scm/admin@EXAMPLE.COM Principal: cloudera-scm/admin@EXAMPLE.COM Expiration date: [never] Last password change: Thu Jan 30 11:07:33 UTC 2020 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Thu Jan 30 11:07:33 UTC 2020 (root/admin@EXAMPLE.COM) Last successful authentication: Thu Jan 30 11:25:10 UTC 2020 Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 1, arcfour-hmac, no salt MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] ... View more

Hi @lwang , thanks for your input.   Cloudera manager version is 5.8.5, and CDH 5.4.4 (do they have to be the same version?)   No, I haven't used the wizard for Kerberos. And I've checked the krb5.conf file - it looks fine, but here it is just for the sake of having another pair of eyes on it 🙂 [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false rdns = false ticket_lifetime = 86400 renew_lifetime = 604800 forwardable = true default_tgs_enctypes = rc4-hmac default_tkt_enctypes = rc4-hmac permitted_enctypes = rc4-hmac udp_preference_limit = 1 kdc_timeout = 3000 [appdefaults] validate = false [realms] EXAMPLE.COM = { kdc = bdmanager1-test2.example.com:88 admin_server = bdmanager1-test2.example.com:749 #default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM   `krb5.conf` is deployed to all hosts, that's not the issue here.   Let me give an example. When I do "Import KDC admin credentials" from the Cloudera Manager UI and right after it's done I do "Generate missing credentials" - it works.  If I execute any commands in between, for example I do "Import cluster template" and that itself will call "Generate missing credentials" after deploying the parcels and applying host templates, then "Generate missing credentials" fails with the error that I specified above. If I manually again do "Import KDC admin credentials" and then "Generate missing credentials" - again it works.   The error comes from the script that is triggered by the "Generate missing credentials" command, located at `/usr/share/cmf/bin/gen_credentials.sh`, as it sets incorrect realm for `CMF_REALM` variable (as can be seen from the stack trace above), hence the error.   As a workaround I've explicitly set `CMF_REALM=EXAMPLE.COM` in that script, but that's not ideal so I am trying to get to the bottom of why this is happening.   Hope my ramblings make any sense 🙂 ... View more