Issue Generating principals in Cloudera Manager - 5.16.2 - Parcels.

HareeKrushnan — Fri, 20 Nov 2020 07:34:30 GMT

Hi,

When i try to 'Generate Missing Credentials' in Cloudera Manager:

CM >Administration>Secuity>Kerberos Credentials , I get the following error

2020-11-20 00:13:31,793 INFO GenerateCredentials-0:com.cloudera.cmf.security.GenerateCredentialsCommand: Generating kerberos credentials using custom script /etc/hadoop/conf/keytabgen.sh
2020-11-20 00:13:31,794 INFO GenerateCredentials-0:com.cloudera.cmf.security.GenerateCredentialsCommand: Creating credentials for roleId 132
2020-11-20 00:13:31,794 INFO GenerateCredentials-0:com.cloudera.cmf.security.GenerateCredentialsCommand: Generating new keytab for spark/clouderadp02.ibm.cloud@IBM.CLOUD
2020-11-20 00:13:31,805 ERROR GenerateCredentials-0:com.cloudera.cmf.security.GenerateCredentialsCommand: unable to create credential for role 132 due to:/etc/hadoop/conf/keytabgen.sh failed with exit code 1 and output of <<
cp: cannot stat ‘/etc/hadoop/conf/keytabs/spark_clouderadp02.ibm.cloud@IBM.CLOUD.keytab’: No such file or directory>>
2020-11-20 00:13:36,926 ERROR CommandPusher:com.cloudera.cmf.command.CommandHelpers: GenerateCredentials - Execution error: 
java.io.IOException: /etc/hadoop/conf/keytabgen.sh failed with exit code 1 and output of <<
cp: cannot stat ‘/etc/hadoop/conf/keytabs/spark_clouderadp02.ibm.cloud@IBM.CLOUD.keytab’: No such file or directory>>
	at com.cloudera.cmf.security.GenerateCredentialsCommand.generateKeytab(GenerateCredentialsCommand.java:404)
	at com.cloudera.cmf.security.GenerateCredentialsCommand.createKeytab(GenerateCredentialsCommand.java:501)
	at com.cloudera.cmf.security.GenerateCredentialsCommand.generateMissingKeytabs(GenerateCredentialsCommand.java:250)
	at com.cloudera.cmf.security.GenerateCredentialsCommand.access$300(GenerateCredentialsCommand.java:62)
	at com.cloudera.cmf.security.GenerateCredentialsCommand$2$1.run(GenerateCredentialsCommand.java:593)
	at com.cloudera.cmf.security.GenerateCredentialsCommand$2$1.run(GenerateCredentialsCommand.java:581)
	at com.cloudera.cmf.security.components.SecurityUtils.runWithGenerateKrb5Conf(SecurityUtils.java:375)
	at com.cloudera.cmf.security.GenerateCredentialsCommand$2.call(GenerateCredentialsCommand.java:581)
	at com.cloudera.cmf.security.GenerateCredentialsCommand$2.call(GenerateCredentialsCommand.java:577)
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
2020-11-20 00:13:36,927 INFO CommandPusher:com.cloudera.cmf.model.DbCommand: Command 2831(GenerateCredentials) has completed. finalstate:FINISHED, success:false, msg:/etc/hadoop/conf/keytabgen.sh failed with exit code 1 and output of <<
cp: cannot stat ‘/etc/hadoop/conf/keytabs/spark_clouderadp02.ibm.cloud@IBM.CLOUD.keytab’: No such file or directory>>

Not sure what is causing this issue. The '/etc/hadoop/conf/keytabgen.sh' is a very simple script :

#!/bin/bash # Cloudera Manager will input a destination path DEST="$1" # Cloudera Manager will input the principal name in the format: <service>/<fqdn>@REALM PRINC="$2" # Assuming the '<service>_<fqdn>@REALM.keytab' naming convention for keytab files IN=$(echo $PRINC | sed -e 's/\//_/') src="/etc/hadoop/conf/keytabs/${IN}.keytab" # Copy the keytab to the destination input by Cloudera Manager cp -v $SRC $DEST

When i check in /etc/hadoop/conf/keytab path. I find that to be empty.

When i check the principals in the KDC server(listprincs), I see the principals for each every service and user required.

Not sure what is going wrong.

regards,

Haree Krushnan

Re: Issue Generating principals in Cloudera Manager - 5.16.2 - Parcels.

tjangid — Fri, 20 Nov 2020 08:05:12 GMT

Hello @HareeKrushnan

I see that you are using a custom script to retrieve keytabs from the local filesystem. The script is failing as it is unable to find the required keytabs at the location

cp: cannot stat ‘/etc/hadoop/conf/keytabs/spark_clouderadp02.ibm.cloud@IBM.CLOUD.keytab’: No such file or directory>>

Please note that to use the custom script the KDC administrators should create the required principals and keytabs, and store them securely on the Cloudera Manager Server host.

Please review the below document for more information on using a Custom Kerberos Keytab Retrieval Script

https://docs.cloudera.com/documentation/enterprise/5-16-x/topics/sg_keytab_retrieval_script.html

Let us know if this helps.

Cheers!

Was your question answered? Make sure to mark the answer as the accepted solution.

If you find a reply useful, say thanks by clicking on the thumbs up button.

Re: Issue Generating principals in Cloudera Manager - 5.16.2 - Parcels.

HareeKrushnan — Mon, 23 Nov 2020 05:25:59 GMT

Hi Tjangid,

Thanks for the info, it indeed was the custom script which was causing the issue.

Regards,

Haree Krushnan

question Issue Generating principals in Cloudera Manager - 5.16.2 - Parcels. in Support Questions

Issue Generating principals in Cloudera Manager - 5.16.2 - Parcels.

Re: Issue Generating principals in Cloudera Manager - 5.16.2 - Parcels.

Re: Issue Generating principals in Cloudera Manager - 5.16.2 - Parcels.