[jira] [Commented] (AMBARI-12442) DataNodes and JournalNodes failed to start after enabling Kerberos via the Ambari Wizard.

[Zack Marsh (JIRA)]

    [ 
https://issues.apache.org/jira/browse/AMBARI-12442?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14630486#comment-14630486
 ] 

Zack Marsh commented on AMBARI-12442:
-------------------------------------

[~rlevas], 

The setupKerberos.sh script is doing the following:
* Installing the krb5, krb5-server, and krb5-client packages on the first 
Master, the host that will being running the MIT KDC
* Installing krb5-client package on all hosts in the cluster
* Creating the kdc.conf file
{code}
[kdcdefaults]
     v4_mode = nopreauth
     kdc_ports = 88,750
     kdc_tcp_ports = 88

     [realms]
     VM7C4.HADOOP.TERADATA.COM = {
     acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl
     dict_file = /usr/share/dict/words
     admin_keytab = /var/lib/kerberos/krb5kdc/kadm5.keytab
     supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal 
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 
des-cbc-crc:afs3
 }
{code}
* Creating the key database
* Starting the KDC
* Setting the password for the Kerberos admin principal kadmin/admin
* Creating the kadm5.acl file
{code}
###############################################################################
#Kerberos_principal      permissions     [target_principal]      [restrictions]
###############################################################################
#
#*/ad...@example.com  *

*/admin@<REALM>  *
{code}
* Creating a headless keytab for the 'tdatuser' (Linux user used to access HDFS 
and run jobs)
* Clearing YARN user cache directories on DataNodes (work-around for 
AMBARI-12402)
* Setting up proxies, setting the following properties to '*'
** hadoop.proxyuser.HTTP.groups
** hadoop.proxyuser.HTTP.hosts
** hadoop.proxyuser.hive.groups
** hadoop.proxyuser.hive.hosts
** hadoop.proxyuser.oozie.groups
** hadoop.proxyuser.oozie.hosts
* Restarting the stack to clear stale configs

The JCE unlimited key length policy has been setup properly (this Enable 
Kerberos Wizard has been successfully completing in the past), and I'm not 
seeing any GSSAPI errors in the NameNode log files.







>  DataNodes and JournalNodes failed to start  after enabling Kerberos via the 
> Ambari Wizard. 
> --------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-12442
>                 URL: https://issues.apache.org/jira/browse/AMBARI-12442
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-web
>    Affects Versions: 2.1.0
>         Environment: ambari-server-2.1.0-1462
>            Reporter: Irina Easterling
>            Priority: Blocker
>
> On an HDP-2.3 cluster the DataNodes and JournalNodes failed to start 
> after enabling Kerberos via the Ambari Wizard. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)