Kinit not working after migrating principals from one KDC to other one

saivenkatg55 — Fri, 25 Feb 2022 05:18:07 GMT

Hi Team,

I have recently migrated Kerberos principals using the below command from one KDC to another KDC, post-migration kinit is not working and it is throwing some error whereas the same identity is working in the original KDC. Can you please help us in identifying the error? Did I make any mistakes while migrating the principles?

Command Used - kdb5_util dump -verbose dumpfile

and logged in to other KDC and executed the restore

kdb5_util restore -verbose /tmp/dumpfile

Error:

KRB5_TRACE=/dev/stdout kinit testuser

[8962] 1645765308.654184: Getting initial credentials for testuser@EXAMPLE.COM

[8962] 1645765308.654186: Sending unauthenticated request

[8962] 1645765308.654187: Sending request (181 bytes) to EXAMPLE.COM

[8962] 1645765308.654188: Resolving hostname stg-hdplucykrb101.phonepe.nb6

[8962] 1645765308.654189: Sending initial UDP request to dgram 10.57.55.228:88

[8962] 1645765308.654190: Received answer (163 bytes) from dgram 10.57.55.228:88

[8962] 1645765308.654188: Resolving hostname kdc.example.com

[8962] 1645765308.654191: Sending DNS URI query for _kerberos.EXAMPLE.COM.

[8962] 1645765308.654192: No URI records found

[8962] 1645765308.654193: Sending DNS SRV query for _kerberos-master._udp.EXAMPLE.COM.

[8962] 1645765308.654194: Sending DNS SRV query for _kerberos-master._tcp.EXAMPLE.COM.

[8962] 1645765308.654195: No SRV records found

[8962] 1645765308.654196: Response was not from master KDC

[8962] 1645765308.654197: Received error from KDC: -1765328353/Decrypt integrity check failed

[8962] 1645765308.654198: Retrying AS request with master KDC

[8962] 1645765308.654199: Getting initial credentials for testuser@EXAMPLE.COM

[8962] 1645765308.654201: Sending unauthenticated request

[8962] 1645765308.654202: Sending request (181 bytes) to EXAMPLE.COM (master)

[8962] 1645765308.654203: Sending DNS URI query for _kerberos.EXAMPLE.COM.

[8962] 1645765308.654204: No URI records found

[8962] 1645765308.654205: Sending DNS SRV query for _kerberos-master._udp.EXAMPLE.COM.

[8962] 1645765308.654206: Sending DNS SRV query for _kerberos-master._tcp.EXAMPLE.COM.

[8962] 1645765308.654207: No SRV records found

kinit: Password incorrect while getting initial credentials

Re: Kinit not working after migrating principals from one KDC to other one

GangWar — Thu, 03 Mar 2022 06:11:36 GMT

Stop CDH Services and Stop Cloudera Manager Management Services.
Import the new kerberos account. You will need an admin account on the KDC for this:
1. CM UI -> Administration -> Security -> Kerberos credentials -> "Import Kerberos Account Manager Credentials"
2. Enter username and password
3. Click Import button
Re-generate missing principals if the previous step was successful
1. CM UI -> Administration -> Security -> "Kerberos credentials"
2. Click the button "Generate Missing Credentials"
Wait until credentials have been generated
Start Cloudera Manager Management Services
Start CDH Services

question Kinit not working after migrating principals from one KDC to other one in Support Questions

Kinit not working after migrating principals from one KDC to other one

Re: Kinit not working after migrating principals from one KDC to other one