Hi Steve... We have successfully enable Kerberos on many clusters using AD as the KDC. My experience is with Windows Server 2012, though.
The details you are showing for the NN service identity looks correct, so I don't think that is an issue. If it wasn't, Active Directory would have rejected it upon creation of the account. However if you believe that the UPN is incorrect, you can disable Kerberos and then re-enbable Kerberos. However on the 2nd Wizard screen you should edit the "Attribute template" under the "Advanced kerberos-env" section and change: Original: "userPrincipalName": "$normalized_principal", Updated: "userPrincipalName": "$principal_name", The "Client not found in Kerberos database" indicates that the identity in question may not have been created. There may be several reason for this... maybe the UPN is incorrect, maybe the host cannot communicate with the AD (this could happen if the krb5.conf file is incorrect). I hope this helps, Rob From: Steve Howard <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Wednesday, May 27, 2015 at 10:55 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Active Directory as a KDC for Hadoop Hi All, We are having an issue with the Ambari 2.0 release, and its wizard to configure Active Directory as a KDC for securing the cluster. We had no errors during configuration, but none of the services start after it has been completed. Specifically, we get the infamous "Client not found in Kerberos database" message. This is actually a very simple one node cluster with Ambari and HDP on Centos 6. We point to a Windows Server 2008 AD DC. When we print the associated attributes in AD, it looks like the UPN is formatted as a service principal name, which I don't think AD supports. See below for a snippet of the attributes in AD... [root@ambari2 ~]# /usr/jdk64/jdk1.7.0_67/bin/java TestAD | strings -a | grep nn >>>"CN=nn/ambari2.howard.local,CN=Users" cn: nn/ambari2.howard.local userPrincipalName: nn/[email protected]<mailto:nn/[email protected]> servicePrincipalName: nn/ambari2.howard.local distinguishedName: CN=nn/ambari2.howard.local,CN=Users,DC=howard,DC=local name: nn/ambari2.howard.local [root@ambari2 ~]# Has anyone run in this? Conversely, has anyone gotten AD to work as a KDC for Hadoop? Thanks, Steve
