Reply
New Contributor
Posts: 2
Registered: ‎11-09-2017

Cloudera Manager Kerberos Wizard Generated Active Directory accounts not working

[ Edited ]

Hi

 

I was able to run through the wizzard to configure kerberos on my cluster. I can see a bunch of accounts on AD created by the wizzard but none seem to work. 

 

org.apache.hadoop.security.KerberosAuthException: Login failure for user: hdfs/xxxx-dev-cdh-dn1.domain.net@DOMAIN.NET from keytab hdfs.keytab javax.security.auth.login.LoginException: Unable to obtain password from user

I can login to Cloudera Manager fine with the AD users. But when I try to check the hdfs user Cloudera created in AD with the keytab it does not work. I can't find anything in your documentation that speak to this issue. Do I need to go update the password in AD and generate new keyfile or something? 

 

Kint with user and keytab works!


[root@xx-dev-cdh-dn0 praelexis]# kinit -kt /var/run/cloudera-scm-agent/process/343-hdfs-DATANODE/hdfs.keytab hdfs/xx-dev-cdh-dn0.clientinsights.capinet

 klist -e

Default principal: hdfs/xx-dev-cdh-dn0.clientinsights.capinet@CLIENTINSIGHTS.CAPINET

Valid starting Expires Service principal
11/10/17 10:14:19 11/10/17 20:14:19 krbtgt/CLIENTINSIGHTS.CAPINET@CLIENTINSIGHTS.CAPINET
renew until 11/17/17 10:14:19, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

 

kinit cloud_admin (User Manager Account)
Password for cloud_admin@DOMAIN.NET:
[root@xx-dev-cdh-dn1 praelexis]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: cloud_admin@DOMAIN.NET

Valid starting Expires Service principal
11/10/17 09:49:49 11/10/17 19:49:52 krbtgt/DOMAIN.NET@DOMAIN.NET
renew until 11/17/17 09:49:49, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

 

Also works

 

I can login to my Linux Nodes with normal AD accounts fine. 

 

Any help will be appricaited. 

 

 

Regards

Nic

 

 

New Contributor
Posts: 2
Registered: ‎11-09-2017

Re: Cloudera Manager Kerberos Wizard Generated Active Directory accounts not working

Dont worry about this, I sorted the issue. 

The JCE wasnt installed porperly on all the nodes. After I re-ran that setup the services was able to start using the keytabs created by the wizard. 

Announcements