This is the documentation for Cloudera Manager 4.8.3.
Documentation for other versions is available at Cloudera Documentation.

Troubleshooting Security Issues

Typically, if Kerberos security is not working on your cluster, Hadoop will display generic messages about the cause of the problem. If you have problems, try these troubleshooting suggestions:

  • To make sure that the Cloudera Manager Server created the host and hdfs principals, run this command in the kadmin.local or kadmin shell:
kadmin:  listprincs
  • Verify that the keytab files exist in the /var/run/cloudera-scm-agent/process directory on the Cloudera Manager Agent host machines and are not 0 bytes.

The following table contains solutions to some common Kerberos problems. You can also check the Server log (/var/log/cloudera-scm-server/cloudera-scm-server.log) on the Server host or the Agent log (/var/log/cloudera-scm-agent/cloudera-scm-agent.log) on the Agent hosts for any errors associated with keytab generation or information about the problems.


Possible Causes


After you enable Hadoop Secure Authentication in HDFS and MapReduce service instances, there are no principals generated in the Kerberos tab after about 20 seconds.

There is a problem with credential resolution.

Check the Cloudera Manager Server log file (/var/log/cloudera-scm-server/cloudera-scm-server.log) on the Server host to help you debug the problem. The log file may show why the Cloudera Manager Server cannot generate the principals using the gen or merge scripts. See "Viewing the Cloudera Manager Server Log".

Services are not started.

There is a problem with credential usage in the cluster.

If you are using AES-256 encryption for tickets, you must install the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File". 1

No principals are generated by Cloudera Manager, and the server log contains the following message:
kadmin: GSS-API (or Kerberos) error 
while initializing kadmin interface

Because of a bug in Cloudera Manager, you must specify the Kerberos default realm in the Cloudera Manager Administration > Properties page; Cloudera Manager is unable to use a non-default realm.

To fix this problem, see Step 7: Configure the Kerberos Default Realm in the Cloudera Manager Admin Console.

1 For more information about this issue, see:  Appendix A - Troubleshooting in CDH 3 or Appendix A - Troubleshooting in CDH 4