Verify that AD/LDAP is correctly configured with a secure Hadoop cluster
You should verify that AD or LDAP is correctly set up with Kerberos (KDC) and the Hadoop cluster.
When your configuration is correct, you should be able to use the
kinit for an AD/LDAP user. In addition, if the Hadoop cluster is configured for local HDFS, you should check that you can list the local HDFS directory before ECS gets added to the cluster.
Workaround
If you cannot successfully authenticate as an AD/LDAP user with the KDC on the Hadoop cluster, you should address this before proceeding to ECS Hadoop configuration.
An example of a successful login is shown below:
[kcluser@lvipri054 root]$ kinit kcluser@QE.COM
Password for kcluser@QE.COM:
[kcluser@lvipri054 root]$ klist
Ticket cache: FILE:/tmp/krb5cc_1025
Default principal: kcluser@QE.COM
Valid starting Expires Service principal
04/28/15 06:20:57 04/28/15 16:21:08 krbtgt/QE.COM@QE.COM
renew until 05/05/15 06:20:57
If the above is not successful, you can investigate using the following checklist:
- Check the
/etc/krb5.conf file on the KDC server for correctness and syntax. Realms can be case sensitive in the configuration files as well as when used with the
kinit command.
- Check that the
/etc/krb5.conf file from the KDC server is copied to all the Hadoop nodes.
- Check that one-way trust between AD/LDAP and the KDC server was successfully made.
- Make sure that the encryption type on the AD/LDAP server matches that on the KDC server.
- Check that the
/var/kerberos/krb5kdc/kadm5.acl and
/var/kerberos/krb5kdc/kdc.conf files are correct.
- Try logging in as a service principal on the KDC server to indicate that the KDC server itself is working correctly.
- Try logging in as the same AD/LDAP user on the KDC server directly. If that does not work, the issue is likely to be on the KDC server directly.