This is the documentation for Cloudera Manager 5.0.x. Documentation for other versions is available at Cloudera Documentation.
Troubleshooting Security Issues
Typically, if Kerberos security is not working on your cluster, Hadoop will display generic messages about the cause of the problem. If you have problems, try these troubleshooting suggestions:
- To make sure that the Cloudera Manager Server created the host and hdfs principals, run this command in the kadmin.local or kadmin shell:
kadmin: listprincs
- Verify that the keytab files exist in the /var/run/cloudera-scm-agent/process directory on the Cloudera Manager Agent hosts and are not 0 bytes.
The following table contains solutions to some common Kerberos problems. You can also check the Server or Agent logs for any errors associated with keytab generation or information about the problems.
| Problems | Possible Causes | Solutions |
|---|---|---|
| After you enable Hadoop Secure Authentication in HDFS and MapReduce service instances, there are no principals generated in the Kerberos tab after about 20 seconds. | There is a problem with credential resolution. | Check the Cloudera Manager Server log file (/var/log/cloudera-scm-server/cloudera-scm-server.log) on the Server host to help you debug the problem. The log file may show why the Cloudera Manager Server cannot generate the principals using the gen or merge scripts. |
| Services are not started. | There is a problem with credential usage in the cluster. | If you are using AES-256 encryption for tickets, you must install the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File". For more information about this issue, see: Appendix A - Troubleshooting in CDH 4 or Troubleshooting in CDH 5. |
No principals are generated by Cloudera Manager, and the server log contains the following message: kadmin: GSS-API (or Kerberos) error while initializing kadmin interface |
Because of a bug in Cloudera Manager, you must specify the Kerberos default realm in the Cloudera Manager page; Cloudera Manager is unable to use a non-default realm. | See Step 6: Configure the Kerberos Default Realm in the Cloudera Manager Admin Console |
| << Security-Related Issues in Cloudera Manager | Cloudera Manager Backup and Disaster Recovery >> | |