My Oracle Support Banner

NameNodes Will Not Start on BDA V4.2 When Enabling AD Kerberos with Centrify (Doc ID 2025681.1)

Last updated on JULY 01, 2015

Applies to:

Big Data Appliance Integrated Software - Version 4.2.0 and later
Linux x86-64

Symptoms

On BDA V4.2 when enabling AD Kerberos, the NameNode service will not come up.  The NameNode logs,  /var/log/hadoop-hdfs/hadoop-cmf-hdfs-NAMENODE-<host>.example.com.log.out,  show errors like:

2015-06-10 11:06:56,220 WARN org.apache.hadoop.security.UserGroupInformation:
  PriviledgedActionException as:hdfs/host.example.com@EXAMPLE.COM (auth:KERBEROS)
  cause:java.io.IOException: org.apache.hadoop.security.authentication.client.AuthenticationException:
  GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
2015-06-10 11:06:56,221 ERROR org.apache.hadoop.hdfs.server.namenode.EditLogInputStream:
  caught exception initializing http://host.example.com:8480/getJournal?jid=cluster-ns&segmentTxId=745246&storageInfo=...
java.io.IOException: org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException:
  No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
       at org.apache.hadoop.hdfs.server.namenode.EditLogFileInputStream$URLLog$1.run(EditLogFileInputStream.java:464)
       at org.apache.hadoop.hdfs.server.namenode.EditLogFileInputStream$URLLog$1.run(EditLogFileInputStream.java:456)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.Subject.doAs(Subject.java:422)
       at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1671)
       at org.apache.hadoop.security.SecurityUtil.doAsUser(SecurityUtil.java:445)
       at org.apache.hadoop.security.SecurityUtil.doAsCurrentUser(SecurityUtil.java:439)
       at org.apache.hadoop.hdfs.server.namenode.EditLogFileInputStream$URLLog.getInputStream(EditLogFileInputStream.java:455)
       at org.apache.hadoop.hdfs.server.namenode.EditLogFileInputStream.init(EditLogFileInputStream.java:141)
...

This indicates that the NameNodes can not connect with the Journal Nodes when they start up, and so can not authenticate.

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.