NameNodes Will Not Start on BDA V4.2 When Enabling AD Kerberos with Centrify (Doc ID 2025681.1)

Last updated on JULY 01, 2015

Applies to:

Big Data Appliance Integrated Software - Version 4.2.0 and later
Linux x86-64

Symptoms

On BDA V4.2 when enabling AD Kerberos, the NameNode service will not come up.  The NameNode logs,  /var/log/hadoop-hdfs/hadoop-cmf-hdfs-NAMENODE-<host>.example.com.log.out,  show errors like:

2015-06-10 11:06:56,220 WARN org.apache.hadoop.security.UserGroupInformation:
  PriviledgedActionException as:hdfs/host.example.com@EXAMPLE.COM (auth:KERBEROS)
  cause:java.io.IOException: org.apache.hadoop.security.authentication.client.AuthenticationException:
  GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
2015-06-10 11:06:56,221 ERROR org.apache.hadoop.hdfs.server.namenode.EditLogInputStream:
  caught exception initializing http://host.example.com:8480/getJournal?jid=cluster-ns&segmentTxId=745246&storageInfo=...
java.io.IOException: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException:
  No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
       at org.apache.hadoop.hdfs.server.namenode.EditLogFileInputStream$URLLog$1.run(EditLogFileInputStream.java:464)
       at org.apache.hadoop.hdfs.server.namenode.EditLogFileInputStream$URLLog$1.run(EditLogFileInputStream.java:456)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.Subject.doAs(Subject.java:422)
       at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1671)
       at org.apache.hadoop.security.SecurityUtil.doAsUser(SecurityUtil.java:445)
       at org.apache.hadoop.security.SecurityUtil.doAsCurrentUser(SecurityUtil.java:439)
       at org.apache.hadoop.hdfs.server.namenode.EditLogFileInputStream$URLLog.getInputStream(EditLogFileInputStream.java:455)
       at org.apache.hadoop.hdfs.server.namenode.EditLogFileInputStream.init(EditLogFileInputStream.java:141)
...

This indicates that the NameNodes can not connect with the Journal Nodes when they start up, and so can not authenticate.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms