I am trying to kerberize an Ambari (2.6.0) Hadoop (HDP 18.104.22.168) cluster.
I have IPA and was not able to get the Ambari Automatic config to work so I have moved on to the "Manual" process.... which I am also running into problems.
Ambari Server is running as root. I also have an ambari user that is in IPA that has passwordless sudo access to all hosts. root on ambari server also has passwordless ssh access to all hosts(Is this needed?)
Here are my questions:
1) If doing the manual procedure does one still need to enable the IPA experimental feature?
2) Does Ambari Server need to be configured to run as a non-root user or can we kerberize and still have ambari server run as root?
3) If I do want to have Kerberos princs that include the cluster name... Do the USER Kerberos princs have to be the same as the local unix user names and do these Kerberos USER princs need to match anything else in the Ambari configuration? For example if I create an hdfs-clustername USER princ do the SERVICE keytabs in /etc/security/keytabs then need to be owned by the Kerberos USER or just by the local user name?