ECS 3.6.2 Data Access Guide

You should verify that AD or LDAP is correctly set up with Kerberos (KDC) and the Hadoop cluster.

When your configuration is correct, you should be able to use the kinit for an AD/LDAP user. In addition, if the Hadoop cluster is configured for local HDFS, you should check that you can list the local HDFS directory before ECS gets added to the cluster.

Workaround

If you cannot successfully authenticate as an AD/LDAP user with the KDC on the Hadoop cluster, you should address this before proceeding to ECS Hadoop configuration.

[kcluser@lvipri054 root]$  kinit kcluser@QE.COM
Password for kcluser@QE.COM:


[kcluser@lvipri054 root]$ klist
Ticket cache: FILE:/tmp/krb5cc_1025
Default principal: kcluser@QE.COM

Valid starting     Expires            Service principal
04/28/15 06:20:57  04/28/15 16:21:08  krbtgt/QE.COM@QE.COM
        renew until 05/05/15 06:20:57

If the above is not successful, you can investigate using the following checklist:

• Check the /etc/krb5.conf file on the KDC server for correctness and syntax. Realms can be case sensitive in the configuration files as well as when used with the kinit command.
• Check that the /etc/krb5.conf file from the KDC server is copied to all the Hadoop nodes.
• Check that one-way trust between AD/LDAP and the KDC server was successfully made.
• Make sure that the encryption type on the AD/LDAP server matches that on the KDC server.
• Check that the /var/kerberos/krb5kdc/kadm5.acl and /var/kerberos/krb5kdc/kdc.conf files are correct.
• Try logging in as a service principal on the KDC server to indicate that the KDC server itself is working correctly.
• Try logging in as the same AD/LDAP user on the KDC server directly. If that does not work, the issue is likely to be on the KDC server directly.