I did it with reference to the open Kerberos wizard in the official cloudera documentation. Address: https://docs.cloudera.com/cdp-private-cloud-base/7.1.5/security-kerberos-authentication/topics/cm-security-kerberos-enabling-step4-kerberos-wizard.html

During the startup process, the last step of starting the cluster starts to report errors. The services reporting errors include Kafka, HBase, jobhistory, etc. the relevant logs are as follows:

Kafka, HBase and other logs:

Jobhistory log:

It can be seen from the log that the ticket is expired, so the relevant configurations of krb5.conf and kdc.conf files are checked. The configuration seems to be OK, as follows:

So, I took a CM automatically generated KeyTab (/ var/run/cloudera SCM agent/process/15 HDFS datacode/HDFS. KeyTab) on the server and tried Kinit to see if it really expired, but the results are as follows:

This error seems to indicate that the KeyTab format of this version is not supported. Therefore, it is considered that the Kerberos version is incompatible. Just before, I saw that some people said that the Kerberos version is sometimes incompatible. Link: https://community.cloudera.com/t5/Support-Questions/Kerberos-ticket-expired-kinit-keytab-successfully-java/td-p/80522

The respondents here give such tips:

Therefore, after the version was changed to 1.15.50, the problem was solved. This log hint is still very lame. Kerberos style has always been like this.