My Oracle Support Banner

Disabling AD or MIT Kerberos Fails-HBase Service will not Start on BDA V4.2 (Doc ID 2052547.1)

Last updated on DECEMBER 19, 2019

Applies to:

Big Data Appliance Integrated Software - Version 4.2.0 and later
Linux x86-64


NOTE: In the examples that follow, user details, cluster names, hostnames, directory paths, filenames, etc. represent a fictitious sample (and are used to provide an illustrative example only). Any similarity to actual persons, or entities, living or dead, is purely coincidental and not intended in any manner.


Disabling Kerberos (MIT Kerberos or AD Kerberos) on BDA V4.2 (CDH 5.4) may require clearing the /hbase znodes.  Without this the HBase service may fail to come up after/during Kerberos removal while running 'bdacli disable kerberos' or 'bdacli disable ad_kerberos'.  Note however it may not be possible to clear /hbase znodes if HBase replication is enabled. For MIT Kerberos removal see: Instructions to Disable Kerberos on Oracle Big Data Appliance with Mammoth V3.*/V4.* Releases (Doc ID 1919431.1); for AD Kerberos removal see: Instructions to Enable/Disable AD Kerberos on Oracle Big Data Appliance with Mammoth V4.2 Release (Doc ID 2029378.1).

For earlier BDA versions, see: How to Remove /hbase/acl Znode Left Around After Kerberos is Disabled (Doc ID 1923834.1).  Some of the same steps apply, but some differ in BDA V4.2 (CDH 5.4).

Using 'bdacli disable ad_kerberos' as an example, symptoms look like:

1. The command to remove Kerberos, for example, 'bdacli disable ad_kerberos' fails as below:

ERROR: Puppet agent run on node <HOSTNAME1> had errors. List of errors follows
INFO: Also check the log file in /opt/oracle/BDAMammoth/bdaconfig/tmp/pagent-<HOSTNAME1>-<TIMESTAMP>.log
ERROR: Kerberos removal ran into issues. Exiting.
INFO: Running bdadiagcluster...

2. In Cloudera Manager (CM) the HBase service is down and can not be restarted.

3. Since 'bdacli disable ad_kerberos' did not complete, 'bdacli kerberos status' shows true.

4. However enough of 'bdacli disable ad_kerberos' completes such that CM shows that is Kerberos is removed.

a) From CM: Administration > Kerberos, Kerberos is disabled.

Output is like:

To enable Kerberos for these clusters, click the Enable Kerberos button below.
 Cluster                  Status
<cluster_name>  Kerberos is disabled.   [Enable Kerberos]

b) From CM:  HBase security is disabled.  Navigating: HBase > Configuration > Search: auth
HBase Secure Authentication > simple
HBase Secure Authorization > HBase is unchecked
HBase Thrift Authentication > none
HBase REST Authentication > simple

For example:


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document
 Known Issues

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.