Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Enable Kerberos for Cluster - import_credentials.sh failed, krb configs are ok

avatar
New Contributor

Found several 'similar' issues, but none did really fit our situation.

 

usr/share/cmf/bin/import_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf2740814926769956207.keytab
+ USER=cloudera/admin@IM
+ PASSWD=REDACTED
+ KVNO=1
+ SLEEP=0
+ RHEL_FILE=/etc/redhat-release
+ '[' -f /etc/redhat-release ']'
+ set +e
+ grep Tikanga /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'CentOS release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'Scientific Linux release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ set -e
+ '[' -z /etc/krb5.conf ']'
+ echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:'
+ cat /etc/krb5.conf
+ IFS=' '
+ read -a ENC_ARR
+ ktutil
+ echo 'wkt /var/run/cloudera-scm-server/cmf2740814926769956207.keytab'
+ chmod 600 /var/run/cloudera-scm-server/cmf2740814926769956207.keytab
chmod: cannot access ‘/var/run/cloudera-scm-server/cmf2740814926769956207.keytab’: No such file or directory

>>

 the actual krb5.conf (limited to important data) is:

[libdefaults]
...
default_realm = IM
...

[realms]
IM = {
 kdc = little-cerberos.im
 admin_server = little-cerberos.im
 default_domain = im
}

[domain_realm]
.im = IM
im = IM

Kerberos server configs seem to be ok, since I can login with cloudera/admin@IM

kadmin works well too, I can list and add principals.

The error message does not actually "show" the real krb5.conf file, however there is also no error message, that the file is invalid (had this situation few hours ago for some unknown reason)
OS is Centos 7, CDH 5.11 (test for 60 days), everything in VM, so that I can rollback if necessary. (not using our developer cluster/license)

1 ACCEPTED SOLUTION

avatar
New Contributor

The Problem was in a misconfigured Kerberos encryption type....

 

Tested the ktutil, first time it did not work, because I misspelled the encryption type. Worked well with the right encryption.

 

Tried to fix encryption type in Manager. Worked well!
I deleted everything else and added 

aes128-cts-hmac-sha1-96

(as in the example from https://web.mit.edu/kerberos/krb5-1.13/doc/admin/admin_commands/ktutil.html)

This  config option should be defenitelly improved in cloudera manager! Aswell, as the error reporting! Hope this will be helpfull to somebody else too.

 

the default encryption type (if not configured in kerberos *.conf files) is:

aes256-cts-hmac-sha1-96

thus it should also become default encryption type in cloudera manager.

View solution in original post

4 REPLIES 4

avatar
Champion

I don't think it is creating the keytab file under that directory, which won't fail.  The subsequent chmod command is failing as the keytab file doesn't exist.  Strangely, I don't see the add princ ktutil command before the write to the keytab file.  So I feel like it is not creating the keytab file because this is missing.

 

This is easy to test an verify though.  Using the account that the CM server process is running under, either cloudera-scm* or root, run ktutil and the wkt command as shown.  See if it does write it.  If it doesn't, try adding 'add princ principal@realmn' and then wkt.  That should narrow down where the issue is coming from.

avatar
New Contributor

The keytab file is not created.

Now to the suggeested steps:

tried to do

"wkt /var/run/cloudera-scm-server/cmf2740814926769956207.keytab"

in ktutil - no errors, but no file there. Maybe the necesery data for the keytab is not generated? And thus no file is saved, bacause there is nothing to save?

 

  try adding 'add princ principal@realmn'

Do you mean to add a principal from kadmin - add_principal? (there seems to be no such option in ktutil)

If yes, which one? (cloudera/admin is already there)
--> ank principal@IM?

Or do you mean add_entry in ktutil? (No idea, yet, how to do this, and what I actually should add)

 

Another question: there is a 'cloudera-scm' user account, however I cannot su to it.... thus I had to test things with root. Should I make cloudera-scm account usable and test from there?

 

Thanks!

avatar
Champion
Ah yes, sorry, add princ is for adding the principal to the kerberos database. Add entry is for adding an entry to be written to a keytab file using ktuil.

Yes, do add_entry for cloudera/admin@IM, and then wkt.

avatar
New Contributor

The Problem was in a misconfigured Kerberos encryption type....

 

Tested the ktutil, first time it did not work, because I misspelled the encryption type. Worked well with the right encryption.

 

Tried to fix encryption type in Manager. Worked well!
I deleted everything else and added 

aes128-cts-hmac-sha1-96

(as in the example from https://web.mit.edu/kerberos/krb5-1.13/doc/admin/admin_commands/ktutil.html)

This  config option should be defenitelly improved in cloudera manager! Aswell, as the error reporting! Hope this will be helpfull to somebody else too.

 

the default encryption type (if not configured in kerberos *.conf files) is:

aes256-cts-hmac-sha1-96

thus it should also become default encryption type in cloudera manager.