Reply
Highlighted
Posts: 289
Topics: 11
Kudos: 43
Solutions: 25
Registered: ‎09-02-2016
Accepted Solution

Eable Kerberos via Cloudera Manager wizard failed

Hi

 

Our test environment has RedHat 6.x, Kerberos instllation went well but getting the following error when enable Kerberos via CM wizard

 

All of our services were green before enable the kerberos but now all the services are down with following error

 

"Role is missing Kerberos keytab. Please run the Generate Missing Credentials command on the Kerberos Credentials tab of the Administration -> Security page"

 

I tried to generate missing credentials in security page. but it is failed with below error message. Pls help me to understand how to proceed further...

 

/usr/share/cmf/bin/gen_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ CMF_REALM=AWS.COM
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf4310122296840901236.keytab
+ PRINC=oozie/<hostname>@AWS.COM
+ MAX_RENEW_LIFE=432000
+ KADMIN='kadmin -k -t /var/run/cloudera-scm-server/cmf8961661390083798972.keytab -p root@AWS.COM -r AWS.COM'
+ RENEW_ARG=
+ '[' 432000 -gt 0 ']'
+ RENEW_ARG='-maxrenewlife "432000 sec"'
+ '[' -z /var/run/cloudera-scm-server/krb51519941863236958532.conf ']'
+ echo 'Using custom config path '\''/var/run/cloudera-scm-server/krb51519941863236958532.conf'\'', contents below:'
+ cat /var/run/cloudera-scm-server/krb51519941863236958532.conf
+ kadmin -k -t /var/run/cloudera-scm-server/cmf8961661390083798972.keytab -p root@AWS.COM -r AWS.COM -q 'addprinc -maxrenewlife "432000 sec" -randkey oozie/<hostname>@AWS.COM'
WARNING: no policy specified for oozie/<hostname>@AWS.COM; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "oozie/<hostname>@AWS.COM".
+ '[' 432000 -gt 0 ']'
++ kadmin -k -t /var/run/cloudera-scm-server/cmf8961661390083798972.keytab -p root@AWS.COM -r AWS.COM -q 'getprinc -terse oozie/<hostname>@AWS.COM'
++ tail -1
++ cut -f 12
get_principal: Operation requires ``get'' privilege while retrieving "oozie/<hostname>@AWS.COM".
+ RENEW_LIFETIME='Authenticating as principal root@AWS.COM with keytab /var/run/cloudera-scm-server/cmf8961661390083798972.keytab.'
+ '[' Authenticating as principal root@AWS.COM with keytab /var/run/cloudera-scm-server/cmf8961661390083798972.keytab. -eq 0 ']'
/usr/share/cmf/bin/gen_credentials.sh: line 35: [: too many arguments
+ kadmin -k -t /var/run/cloudera-scm-server/cmf8961661390083798972.keytab -p root@AWS.COM -r AWS.COM -q 'xst -k /var/run/cloudera-scm-server/cmf4310122296840901236.keytab oozie/<hostname>@AWS.COM'
kadmin: Operation requires ``change-password'' privilege while changing oozie/<hostname>@AWS.COM's key
+ chmod 600 /var/run/cloudera-scm-server/cmf4310122296840901236.keytab
chmod: cannot access `/var/run/cloudera-scm-server/cmf4310122296840901236.keytab': No such file or directory

>>

kadmin.local

kadmin.local:  listprincs
cloudera-scm/admin@AWS.COM
cloudera-scm/<Master_Domain>@AWS.COM
cloudera-scm/<hostname>@AWS.COM
host/<Clienthost1_name>@AWS.COM
host/<Clienthost2_name>@AWS.COM
kadmin/admin@AWS.COM
kadmin/changepw@AWS.COM
kadmin/<Master_hostname>@AWS.COM
krbtgt/AWS.COM@AWS.COM
kumar@AWS.COM
oozie/<Master_Domain>@AWS.COM
oozie/<Master_hostname>@AWS.COM
root/admin@AWS.COM
root@AWS.COM

Note: all the services are belongs to master host

 

 

Thanks

Kumar

Posts: 289
Topics: 11
Kudos: 43
Solutions: 25
Registered: ‎09-02-2016

Re: Eable Kerberos via Cloudera Manager wizard failed

Note: I don't find the keytab file in the below path. Is it causing the trouble?

 

/var/run/cloudera-scm-server/cmf4310122296840901236.keytab
Posts: 289
Topics: 11
Kudos: 43
Solutions: 25
Registered: ‎09-02-2016

Re: Eable Kerberos via Cloudera Manager wizard failed

Issue resolved...I made few mistakes and resolved one by one

1.
The below file is a temporary keytab which will be generated automatically everytime we try CM -> Administration -> Setting -> Import KDC Account Manager Credentials
This will be automatically removed after every attempt and will not be available for our manual reference. This is NOT an issue
/var/run/cloudera-scm-server/cmf4310122296840901236.keytab

2.
If you are planning to import KDC account using Wizard then no need to manually enter any service related principal
kadmin.local: listprincs
oozie/<Master_Domain>@AWS.COM
oozie/<Master_hostname>@AWS.COM

3.
# Cloudera Manager -> Administration -> Security -> Kerberos Credentials -> Configuration
a. Update REALM.COM
b. Update Host
c. Update Encryption Type

and few more corrections made and working fine

 

Thanks

Kumar

Announcements