It is quite common from lots of Hadoop clusters that after enabling Load Balancer for certain services that have Kerberos already, the connection to those services via Load Balancer will fail. However, the direct connection to them will always successful.

The typical errors returned looks like below:

GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentials) 

In case of Oozie, when you try to access Oozie’s web UI via LB, it looks like below:

If this is the case for you, the first thing I suggest you to check is the DNS resolution.

In my case, I confirmed that the reserver DNS resolution did not work as expected. Simply run nslookup against the LB’s domain name, and then nslookup again using the IP address returned from previous step. It should return the original domain name. If not, try to fix this first and see if it can help to resolve the issue.

Another option is to set rdns=false in your /etc/krb5.conf file under [libdefaults] section. This will disable the reserver DNS checking at Kerberos level. However, I have noticed that this solution does not always work as expected. Not sure the reason yet.

Hope above information can help with anyone who has the similar issues.

Leave a Reply

Your email address will not be published. Required fields are marked *