Reply
Highlighted
Explorer
Posts: 25
Registered: ‎10-29-2015

Quick Start . - kerberos Troubleshooting

[ Edited ]

Hi 

 

manually installed krb5-server MIT and Workstation on the QUICK START VM . 

I am using AES encryption type. 

below is the error i am facing. 

 

KRB.CONF 

/ETC/KRB5.CONF

default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5  
default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5

---- Matches the exact sequence in Cloudera Manger also. 
edited /var/kerberos/krb5kdc/kadm5.acl with Then we edit /var/kerberos/krb5kdc/kdc.conf 1 [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] HADOOPSECURITY.COM = { #master_key_type = aes256-cts acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-hmac-sha1:normal arcfour-hmac-md5:normal max_renewable_life = 7d }

below is the error i am getting when i enable debug and stdout . 

 

cloudera@quickstart Desktop]$ kinit hdfs
Password for hdfs@HADOOPSEC.COM: 

[cloudera@quickstart Desktop]$ hdfs dfs -ls Java config name: null Native config name: /etc/krb5.conf Loaded from native config >>>KinitOptions cache name is /tmp/krb5cc_501 >>>DEBUG <CCacheInputStream> client principal is hdfs@HADOOPSEC.COM >>>DEBUG <CCacheInputStream> server principal is krbtgt/HADOOPSEC.COM@HADOOPSEC.COM >>>DEBUG <CCacheInputStream> key type: 18 >>>DEBUG <CCacheInputStream> auth time: Mon May 14 05:06:42 PDT 2018 >>>DEBUG <CCacheInputStream> start time: Mon May 14 05:06:42 PDT 2018 >>>DEBUG <CCacheInputStream> end time: Tue May 15 05:06:42 PDT 2018 >>>DEBUG <CCacheInputStream> renew_till time: Mon May 21 05:06:42 PDT 2018 >>> CCacheInputStream: readFlags() FORWARDABLE; RENEWABLE; INITIAL; >>>DEBUG <CCacheInputStream> client principal is hdfs@HADOOPSEC.COM >>>DEBUG <CCacheInputStream> server principal is X-CACHECONF:/krb5_ccache_conf_data/fast_avail/krbtgt/HADOOPSEC.COM@HADOOPSEC.COM >>>DEBUG <CCacheInputStream> key type: 0 >>>DEBUG <CCacheInputStream> auth time: Wed Dec 31 16:00:00 PST 1969 >>>DEBUG <CCacheInputStream> start time: null >>>DEBUG <CCacheInputStream> end time: Wed Dec 31 16:00:00 PST 1969 >>>DEBUG <CCacheInputStream> renew_till time: null >>> CCacheInputStream: readFlags() >>> unsupported key type found the default TGT: 18 18/05/14 05:06:52 WARN security.UserGroupInformation: PriviledgedActionException as:cloudera (auth:KERBEROS) cause:javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] 18/05/14 05:06:52 WARN ipc.Client: Exception encountered while connecting to the server : javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] 18/05/14 05:06:52 WARN security.UserGroupInformation: PriviledgedActionException as:cloudera (auth:KERBEROS) cause:java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)] ls: Failed on local exception: java.io.IOException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]; Host Details : local host is: "quickstart.cloudera/10.0.2.15"; destination host is: "quickstart.cloudera":8020; 5:39 PM (45 minutes ago) to me [cloudera@quickstart Desktop]$ env KRB5_TRACE=/dev/stdout kinit hdfs [10379] 1526299382.926005: Getting initial credentials for hdfs@HADOOPSEC.COM [10379] 1526299382.926163: Sending request (197 bytes) to HADOOPSEC.COM [10379] 1526299382.926190: Resolving hostname quickstart.cloudera [10379] 1526299382.926344: Sending initial UDP request to dgram 10.0.2.15:88 [10379] 1526299382.931792: Received answer from dgram 10.0.2.15:88 [10379] 1526299382.931809: Response was not from master KDC [10379] 1526299382.931831: Processing preauth types: 19 [10379] 1526299382.931839: Selected etype info: etype aes256-cts, salt "(null)", params "" [10379] 1526299382.931841: Produced preauth for next request: (empty) [10379] 1526299382.931844: Salt derived from principal: HADOOPSEC.COMhdfs [10379] 1526299382.931846: Getting AS key, salt "HADOOPSEC.COMhdfs", params "" Password for hdfs@HADOOPSEC.COM: [10379] 1526299384.710120: AS key obtained from gak_fct: aes256-cts/96F0 [10379] 1526299384.710174: Decrypted AS reply; session key is: aes256-cts/ABCF [10379] 1526299384.710187: FAST negotiation: available [10379] 1526299384.710206: Initializing FILE:/tmp/krb5cc_501 with default princ hdfs@HADOOPSEC.COM [10379] 1526299384.710293: Removing hdfs@HADOOPSEC.COM -> krbtgt/HADOOPSEC.COM@HADOOPSEC.COM from FILE:/tmp/krb5cc_501 [10379] 1526299384.710298: Storing hdfs@HADOOPSEC.COM -> krbtgt/HADOOPSEC.COM@HADOOPSEC.COM in FILE:/tmp/krb5cc_501 [10379] 1526299384.710334: Storing config in FILE:/tmp/krb5cc_501 for krbtgt/HADOOPSEC.COM@HADOOPSEC.COM: fast_avail: yes [10379] 1526299384.710346: Removing hdfs@HADOOPSEC.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/HADOOPSEC.COM\@HADOOPSEC.COM@X-CACHECONF: from FILE:/tmp/krb5cc_501 [10379] 1526299384.710350: Storing hdfs@HADOOPSEC.COM -> krb5_ccache_conf_data/fast_avail/krbtgt\/HADOOPSEC.COM\@HADOOPSEC.COM@X-CACHECONF: in FILE:/tmp/krb5cc_501
[cloudera@quickstart Desktop]$ klist -e Ticket cache: FILE:/tmp/krb5cc_501 Default principal: hdfs@HADOOPSEC.COM Valid starting Expires Service principal 05/14/18 05:03:02 05/15/18 05:03:02 krbtgt/HADOOPSEC.COM@HADOOPSEC.COM renew until 05/21/18 05:03:02, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

Any information is highly appreciatable , HDFS daemon are all up and runining expect NAMENODE which complains about encryption type 

Announcements