Just to close the loop on this, this is definitely an issue with how Server 2008 handles UPN's. As soon as I installed 2012 R2, with the exact same config, everything worked.
I had a ticket open with HortonWorks, and have asked them to add the Server 2012 requirement to the documentation for anyone that wants to secure a cluster with AD kerberos. Hopefully this will save someone else a lot of heartburn. On Wed, May 27, 2015 at 10:55 AM, Steve Howard <[email protected]> wrote: > Hi All, > > We are having an issue with the Ambari 2.0 release, and its wizard to > configure Active Directory as a KDC for securing the cluster. We had no > errors during configuration, but none of the services start after it has > been completed. > > Specifically, we get the infamous "Client not found in Kerberos database" > message. This is actually a very simple one node cluster with Ambari and > HDP on Centos 6. We point to a Windows Server 2008 AD DC. When we print > the associated attributes in AD, it looks like the UPN is formatted as a > service principal name, which I don't think AD supports. > > See below for a snippet of the attributes in AD... > > [root@ambari2 ~]# /usr/jdk64/jdk1.7.0_67/bin/java TestAD | strings -a | > grep nn > >>>"CN=nn/ambari2.howard.local,CN=Users" > cn: nn/ambari2.howard.local > userPrincipalName: nn/[email protected] > servicePrincipalName: nn/ambari2.howard.local > distinguishedName: CN=nn/ambari2.howard.local,CN=Users,DC=howard,DC=local > name: nn/ambari2.howard.local > [root@ambari2 ~]# > > Has anyone run in this? Conversely, has anyone gotten AD to work as a KDC > for Hadoop? > > Thanks, > > Steve >
