Reply
Explorer
Posts: 11
Registered: ‎11-14-2017

Kerberos authentication error with keytab

Hello,

 

I've got a problem with the authentication of Kerberos using the Keytab, when I try to start any instance of HDFS service I keep getting the next error.

 

org.apache.hadoop.security.KerberosAuthException: Login failure for user: hdfs/<fqdn>@<REALM.COM> from keytab hdfs.keytab javax.security.auth.login.LoginException: Message stream modified (41)

I did not found any satisfactory answer for this problem, and the principals authenticates very well using that keytab file through kinit command.

 

Thank you in advance.

New Contributor
Posts: 1
Registered: ‎11-15-2017

Re: Kerberos authentication error with keytab

Hi,

 

check that the Domain name in your krb5.conf is in uppercase:

 

 

default_realm = EXAMPLE.COM

EXAMPLE.COM = {
kdc = domaincontroller.example.com
admin_server = domaincontroller.example.com
default_domain = EXAMPLE.COM
}

.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

 

regards

Explorer
Posts: 11
Registered: ‎11-14-2017

Re: Kerberos authentication error with keytab

Yes, the realm name is in uppercase, the same as in the examples

Posts: 394
Topics: 11
Kudos: 60
Solutions: 35
Registered: ‎09-02-2016

Re: Kerberos authentication error with keytab

@rrodriguez

 

1. Get the node has keytab. Ex: I am using the node which belongs to impala daemon.
2. Go to /var/run/cloudera-scm-agent/process and ls, it will list the process
3. cd xxxxxx-impala-IMPALAD .. ## Run ls cmd and make sure it has impala.keytab
4. klist -kt impala.keytab ## This will list all the available and valid principals
5. kinit -kt impala.keytab <copy paste the valid principal from the above step>
6. klist ## make sure kinit initiated

Explorer
Posts: 11
Registered: ‎11-14-2017

Re: Kerberos authentication error with keytab

Sorry for the late response.

 

I did that and it worked with kinit and an imported keytab

 

Thank you

Posts: 394
Topics: 11
Kudos: 60
Solutions: 35
Registered: ‎09-02-2016

Re: Kerberos authentication error with keytab

@rrodriguez happy to know that it worked!!

Explorer
Posts: 11
Registered: ‎11-14-2017

Re: Kerberos authentication error with keytab

Sorry, worked the kinit command, Cloudera keeps giving the first mentioned exception.

Highlighted
Posts: 394
Topics: 11
Kudos: 60
Solutions: 35
Registered: ‎09-02-2016

Re: Kerberos authentication error with keytab

@rrodriguez

 

Is it? my bad, i didn't get it... Did you get a chance to follow 'all' the steps that i've mentioned? if so, were you able to run all the steps successfully?

Explorer
Posts: 11
Registered: ‎11-14-2017

Re: Kerberos authentication error with keytab

@saranvisa

 

Yes I've done all the steps in multiple ocasions, kinit command works fine with the keytabs imported but HDFS continues writing that error in logs.

Explorer
Posts: 11
Registered: ‎11-14-2017

Re: Kerberos authentication error with keytab

Hello @saranvisa

 

I tested it again after doing a regenerate keytabs and when doing the klist -kt I got the next message.

 

# klist -kt hdfs.keytab
Keytab name: FILE:hdfs.keytab
klist: Unsupported key table format version number while starting keytab scan

 

This is not the same for other keytab files in other directories into /var/run/cloudera-scm-agent/process just for some of them.

 

Any idea of what's happening? Why some processes are getting empty keytab files? I don't understand.

 

Thank you for the help

Announcements