Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Eable Kerberos via Cloudera Manager wizard failed

avatar
Champion

Hi

 

Our test environment has RedHat 6.x, Kerberos instllation went well but getting the following error when enable Kerberos via CM wizard

 

All of our services were green before enable the kerberos but now all the services are down with following error

 

"Role is missing Kerberos keytab. Please run the Generate Missing Credentials command on the Kerberos Credentials tab of the Administration -> Security page"

 

I tried to generate missing credentials in security page. but it is failed with below error message. Pls help me to understand how to proceed further...

 

/usr/share/cmf/bin/gen_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ CMF_REALM=AWS.COM
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf4310122296840901236.keytab
+ PRINC=oozie/<hostname>@AWS.COM
+ MAX_RENEW_LIFE=432000
+ KADMIN='kadmin -k -t /var/run/cloudera-scm-server/cmf8961661390083798972.keytab -p root@AWS.COM -r AWS.COM'
+ RENEW_ARG=
+ '[' 432000 -gt 0 ']'
+ RENEW_ARG='-maxrenewlife "432000 sec"'
+ '[' -z /var/run/cloudera-scm-server/krb51519941863236958532.conf ']'
+ echo 'Using custom config path '\''/var/run/cloudera-scm-server/krb51519941863236958532.conf'\'', contents below:'
+ cat /var/run/cloudera-scm-server/krb51519941863236958532.conf
+ kadmin -k -t /var/run/cloudera-scm-server/cmf8961661390083798972.keytab -p root@AWS.COM -r AWS.COM -q 'addprinc -maxrenewlife "432000 sec" -randkey oozie/<hostname>@AWS.COM'
WARNING: no policy specified for oozie/<hostname>@AWS.COM; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "oozie/<hostname>@AWS.COM".
+ '[' 432000 -gt 0 ']'
++ kadmin -k -t /var/run/cloudera-scm-server/cmf8961661390083798972.keytab -p root@AWS.COM -r AWS.COM -q 'getprinc -terse oozie/<hostname>@AWS.COM'
++ tail -1
++ cut -f 12
get_principal: Operation requires ``get'' privilege while retrieving "oozie/<hostname>@AWS.COM".
+ RENEW_LIFETIME='Authenticating as principal root@AWS.COM with keytab /var/run/cloudera-scm-server/cmf8961661390083798972.keytab.'
+ '[' Authenticating as principal root@AWS.COM with keytab /var/run/cloudera-scm-server/cmf8961661390083798972.keytab. -eq 0 ']'
/usr/share/cmf/bin/gen_credentials.sh: line 35: [: too many arguments
+ kadmin -k -t /var/run/cloudera-scm-server/cmf8961661390083798972.keytab -p root@AWS.COM -r AWS.COM -q 'xst -k /var/run/cloudera-scm-server/cmf4310122296840901236.keytab oozie/<hostname>@AWS.COM'
kadmin: Operation requires ``change-password'' privilege while changing oozie/<hostname>@AWS.COM's key
+ chmod 600 /var/run/cloudera-scm-server/cmf4310122296840901236.keytab
chmod: cannot access `/var/run/cloudera-scm-server/cmf4310122296840901236.keytab': No such file or directory

>>

kadmin.local

kadmin.local:  listprincs
cloudera-scm/admin@AWS.COM
cloudera-scm/<Master_Domain>@AWS.COM
cloudera-scm/<hostname>@AWS.COM
host/<Clienthost1_name>@AWS.COM
host/<Clienthost2_name>@AWS.COM
kadmin/admin@AWS.COM
kadmin/changepw@AWS.COM
kadmin/<Master_hostname>@AWS.COM
krbtgt/AWS.COM@AWS.COM
kumar@AWS.COM
oozie/<Master_Domain>@AWS.COM
oozie/<Master_hostname>@AWS.COM
root/admin@AWS.COM
root@AWS.COM

Note: all the services are belongs to master host

 

 

Thanks

Kumar

1 ACCEPTED SOLUTION

avatar
Champion

Issue resolved...I made few mistakes and resolved one by one

1.
The below file is a temporary keytab which will be generated automatically everytime we try CM -> Administration -> Setting -> Import KDC Account Manager Credentials
This will be automatically removed after every attempt and will not be available for our manual reference. This is NOT an issue
/var/run/cloudera-scm-server/cmf4310122296840901236.keytab

2.
If you are planning to import KDC account using Wizard then no need to manually enter any service related principal
kadmin.local: listprincs
oozie/<Master_Domain>@AWS.COM
oozie/<Master_hostname>@AWS.COM

3.
# Cloudera Manager -> Administration -> Security -> Kerberos Credentials -> Configuration
a. Update REALM.COM
b. Update Host
c. Update Encryption Type

and few more corrections made and working fine

 

Thanks

Kumar

View solution in original post

4 REPLIES 4

avatar
Champion

Note: I don't find the keytab file in the below path. Is it causing the trouble?

 

/var/run/cloudera-scm-server/cmf4310122296840901236.keytab

avatar
Champion

Issue resolved...I made few mistakes and resolved one by one

1.
The below file is a temporary keytab which will be generated automatically everytime we try CM -> Administration -> Setting -> Import KDC Account Manager Credentials
This will be automatically removed after every attempt and will not be available for our manual reference. This is NOT an issue
/var/run/cloudera-scm-server/cmf4310122296840901236.keytab

2.
If you are planning to import KDC account using Wizard then no need to manually enter any service related principal
kadmin.local: listprincs
oozie/<Master_Domain>@AWS.COM
oozie/<Master_hostname>@AWS.COM

3.
# Cloudera Manager -> Administration -> Security -> Kerberos Credentials -> Configuration
a. Update REALM.COM
b. Update Host
c. Update Encryption Type

and few more corrections made and working fine

 

Thanks

Kumar

avatar
Contributor

Hello,

 

this is maybe an old post but I'm struggling with the same problem and didn't wanted to open a new thread.

I'm working with CentOS 7.5 and added two new gateway hosts for StreamSets.

After I installed successfully StreamSets with the Parcel I created the principals for Kerberos with kadmin.local for both hosts like this:

  • add_principal sdc/hostname1.FQDN@MYCOMPANY.REALM
  • add_principal sdc/hostname2.FQDN@MYCOMPANY.REALM

After this step I wanted to create the missing Kerberos credentials over Cloudera Manager which fails.

 

I'm not sure with this line. Is this maybe the problem?

/usr/share/cmf/bin/gen_credentials.sh: line 35: [: too many arguments

 

My full log file:

/usr/share/cmf/bin/gen_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ CMF_REALM=MYCOMPANY.REALM
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf3411206514354101952.keytab
+ PRINC=sdc/hostname1.FQDN@MYCOMPANY.REALM
+ MAX_RENEW_LIFE=604800
+ KADMIN='kadmin -k -t /var/run/cloudera-scm-server/cmf5906055974897109624.keytab -p sdc/hostname2.FQDN@MYCOMPANY.REALM -r MYCOMPANY.REALM'
+ RENEW_ARG=
+ '[' 604800 -gt 0 ']'
+ RENEW_ARG='-maxrenewlife "604800 sec"'
+ '[' -z /var/run/cloudera-scm-server/krb57389542731171685362.conf ']'
+ echo 'Using custom config path '\''/var/run/cloudera-scm-server/krb57389542731171685362.conf'\'', contents below:'
+ cat /var/run/cloudera-scm-server/krb57389542731171685362.conf
+ kadmin -k -t /var/run/cloudera-scm-server/cmf5906055974897109624.keytab -p sdc/hostname2.FQDN@MYCOMPANY.REALM -r MYCOMPANY.REALM -q 'addprinc -maxrenewlife "604800 sec" -randkey sdc/hostname1.FQDN@MYCOMPANY.REALM'
WARNING: no policy specified for sdc/hostname1.FQDN@MYCOMPANY.REALM; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "sdc/hostname1.FQDN@MYCOMPANY.REALM".
+ '[' 604800 -gt 0 ']'
++ kadmin -k -t /var/run/cloudera-scm-server/cmf5906055974897109624.keytab -p sdc/hostname2.FQDN@MYCOMPANY.REALM -r MYCOMPANY.REALM -q 'getprinc -terse sdc/hostname1.FQDN@MYCOMPANY.REALM'
++ tail -1
++ cut -f 12
get_principal: Operation requires ``get'' privilege while retrieving "sdc/hostname1.FQDN@MYCOMPANY.REALM".
+ RENEW_LIFETIME='Authenticating as principal sdc/hostname2.FQDN@MYCOMPANY.REALM with keytab /var/run/cloudera-scm-server/cmf5906055974897109624.keytab.'
+ '[' Authenticating as principal sdc/hostname2.FQDN@MYCOMPANY.REALM with keytab /var/run/cloudera-scm-server/cmf5906055974897109624.keytab. -eq 0 ']'
/usr/share/cmf/bin/gen_credentials.sh: line 35: [: too many arguments
+ kadmin -k -t /var/run/cloudera-scm-server/cmf5906055974897109624.keytab -p sdc/hostname2.FQDN@MYCOMPANY.REALM -r MYCOMPANY.REALM -q 'xst -k /var/run/cloudera-scm-server/cmf3411206514354101952.keytab sdc/hostname1.FQDN@MYCOMPANY.REALM'
kadmin: Operation requires ``change-password'' privilege while changing sdc/hostname1.FQDN@MYCOMPANY.REALM's key
+ chmod 600 /var/run/cloudera-scm-server/cmf3411206514354101952.keytab
chmod: cannot access ‘/var/run/cloudera-scm-server/cmf3411206514354101952.keytab’: No such file or directory

>>

Grateful for any help.

avatar
Contributor

EDIT:

I did a copy/paste mistake! Please ignore my full-log given in my post above.

Here is the correct Error-Log:

/usr/share/cmf/bin/gen_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ CMF_REALM=MYCOMPANY.REALM
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf2548823212650177196.keytab
+ PRINC=sdc/hostname.FQDN@MYCOMPANY.REALM
+ MAX_RENEW_LIFE=604800
+ KADMIN='kadmin -k -t /var/run/cloudera-scm-server/cmf6838080336847771087.keytab -p admin/admin@MYCOMPANY.REALM -r MYCOMPANY.REALM'
+ RENEW_ARG=
+ '[' 604800 -gt 0 ']'
+ RENEW_ARG='-maxrenewlife "604800 sec"'
+ '[' -z /var/run/cloudera-scm-server/krb52847952611766397096.conf ']'
+ echo 'Using custom config path '\''/var/run/cloudera-scm-server/krb52847952611766397096.conf'\'', contents below:'
+ cat /var/run/cloudera-scm-server/krb52847952611766397096.conf
+ kadmin -k -t /var/run/cloudera-scm-server/cmf6838080336847771087.keytab -p admin/admin@MYCOMPANY.REALM -r MYCOMPANY.REALM -q 'addprinc -maxrenewlife "604800 sec" -randkey sdc/hostname.FQDN@MYCOMPANY.REALM'
WARNING: no policy specified for sdc/hostname.FQDN@MYCOMPANY.REALM; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "sdc/hostname.FQDN@MYCOMPANY.REALM".
+ '[' 604800 -gt 0 ']'
++ kadmin -k -t /var/run/cloudera-scm-server/cmf6838080336847771087.keytab -p admin/admin@MYCOMPANY.REALM -r MYCOMPANY.REALM -q 'getprinc -terse sdc/hostname.FQDN@MYCOMPANY.REALM'
++ tail -1
++ cut -f 12
get_principal: Operation requires ``get'' privilege while retrieving "sdc/hostname.FQDN@MYCOMPANY.REALM".
+ RENEW_LIFETIME='Authenticating as principal admin/admin@MYCOMPANY.REALM with keytab /var/run/cloudera-scm-server/cmf6838080336847771087.keytab.'
+ '[' Authenticating as principal admin/admin@MYCOMPANY.REALM with keytab /var/run/cloudera-scm-server/cmf6838080336847771087.keytab. -eq 0 ']'
/usr/share/cmf/bin/gen_credentials.sh: line 35: [: too many arguments
+ kadmin -k -t /var/run/cloudera-scm-server/cmf6838080336847771087.keytab -p admin/admin@MYCOMPANY.REALM -r MYCOMPANY.REALM -q 'xst -k /var/run/cloudera-scm-server/cmf2548823212650177196.keytab sdc/hostname.FQDN@MYCOMPANY.REALM'
kadmin: Operation requires ``change-password'' privilege while changing sdc/hostname.FQDN@MYCOMPANY.REALM's key
+ chmod 600 /var/run/cloudera-scm-server/cmf2548823212650177196.keytab
chmod: cannot access ‘/var/run/cloudera-scm-server/cmf2548823212650177196.keytab’: No such file or directory

>>