Generate missing credential failed with constraint violation ERROR 19

Mohammed93 — Mon, 28 Nov 2022 14:47:33 GMT

Hello,

We are using AD for Kerberos. When we try to Generate missing credentials, we are getting error "ERROR GenerateCredentials-0:com.cloudera.cmf.security.GenerateCredentialsCommand: unable to create credential for role 785 due to:/opt/cloudera/cm/bin/gen_credentials_ad.sh failed with exit code 19 and output"

"SASL/GSSAPI authentication started
SASL username: user@domain
SASL SSF: 0
ldap_add: Constraint violation (19)
additional info: 000021C7: AtrErr: DSID-03200E7F, #1:
0: 000021C7: DSID-03200E7F, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)"

We got to know that there was a bug in Microsoft AD patch of November 2021 and Cloudera have a KB article with some suggestions to fix this. We have tried all of those options like disabling SPN on AD, Import Credentials with AD administration user account, removing from domain and generating missing credentials...but we get the same error every time. It tried to create HTTP principal everytime and fails to do so.

anyone faced this error and have a solution? Can someone please help with this? Sharing the Microsoft bug article and Cloudera KB article below for reference. Also sharing the full error message.

CLOUDERA:

https://my.cloudera.com/knowledge/TSB-2021-544--Microsoft-AD-November-2021-Security-Update?id=334373

Microsoft:

https://support.microsoft.com/en-us/topic/kb5008382-verification-of-uniqueness-for-user-principal-name-service-principal-name-and-the-service-principal-name-alias-cve-2021-42282-4651b175-290c-4e59-8fcb-e4e5cd0cdb29

ERROR MSG:

/opt/cloudera/cm/bin/gen_credentials_ad.sh failed with exit code 19 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf8118737478853575492.keytab
+ PRINC=HTTP/hostname@domain
+ USER=cdhr_xxx
+ PASSWD=REDACTED
+ DELETE_ON_REGENERATE=true
+ SET_ENCRYPTION_TYPES=false
+ ENC_TYPES_MASK=4
+ USERACCOUNTCONTROL=45373
+ ACCOUNTEXPIRES=0
+ OBJECTCLASSES='objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
'
+ DIST_NAME=CN=cdhr_xx,OU=xxx,OU=xxx,OU=xx,OU=xxx,DC=xxx,DC=xxx,DC=xxx
+ '[' -z /etc/krb5.conf ']'
+ echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:'
+ cat /etc/krb5.conf
+ SIMPLE_PWD_STR=
+ '[' '' = '' ']'
+ kinit -k -t /var/run/cloudera-scm-server/cmf369146187832524361.keytab user@domain
++ mktemp /tmp/cm_ldap.XXXXXXXX
+ LDAP_CONF=/tmp/cm_ldap.qKndHBEl
+ echo 'TLS_REQCERT never'
+ echo 'sasl_secprops minssf=0,maxssf=0'
+ export LDAPCONF=/tmp/cm_ldap.qKndHBEl
+ LDAPCONF=/tmp/cm_ldap.qKndHBEl
++ ldapsearch -LLL -H ldaps://hostname:636 -b OU=xxx,OU=xxx,OU=xx,OU=xxx,DC=xxx,DC=xxx,DC=xxx userPrincipalName=HTTP/hostname@domain
SASL/GSSAPI authentication started
SASL username: user@domain
SASL SSF: 0
+ PRINC_SEARCH=
++ echo ''
++ sed -n '1 {h; $ !d}; $ {x; s/\n //g; p}; /^ / {H; d}; /^ /! {x; s/\n //g; p}'
+ RESULTS_UNWRAPPED=
+ echo $'\342\200\234\342\200\235'
+ set +e
+ echo
+ grep -q userPrincipalName
+ '[' 1 -eq 0 ']'
+ set -e
+ '[' false = true ']'
+ ldapmodify -H ldaps://hostname:636
++ echo 'objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
'
++ sed /str/d
++ echo HTTP/hostname@domain
++ sed -e 's/\@domain//g'
++ echo -n '"REDACTED"'
++ iconv -f UTF8 -t UTF16LE
++ base64 -w 0
SASL/GSSAPI authentication started
SASL username: user@domain
SASL SSF: 0
ldap_add: Constraint violation (19)
additional info: 000021C7: AtrErr: DSID-03200E7F, #1:
0: 000021C7: DSID-03200E7F, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)

Thanks

Re: Generate missing credential failed with constraint violation ERROR 19

pajoshi — Mon, 28 Nov 2022 19:27:28 GMT

Hello @Mohammed93,

The error generally happens if there is a duplicate servicePrincipalName matching HTTP/<hostname>@<REALM>.

It could be possible that the duplicate entry could be in lowercase such as "http/<hostname>@<REALM> or may be with short hostname such as "HTTP/<short hostname>@<REALM>

Please check with your AD admin to locate the duplicates and remove them. Then retry regeneration of Kerberos credentials.

Thank you.

Re: Generate missing credential failed with constraint violation ERROR 19

DianaTorres — Thu, 01 Dec 2022 22:45:22 GMT

@Mohammed93 Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. Thanks

Re: Generate missing credential failed with constraint violation ERROR 19

skylarblu4650 — Fri, 22 Dec 2023 09:22:54 GMT

I am facing the exact same error message as OP. In my case, the HTTP service principal was missing in cloudera manager, but I could find it in my active directory. after removing the http entries in active directory , i tried to generate missing credentials, but the same error appears.

Any advice would be appreciated @pajoshi

Re: Generate missing credential failed with constraint violation ERROR 19

cjervis — Fri, 22 Dec 2023 13:12:10 GMT

Welcome to the community @skylarblu4650. As this post is a year old, I would suggest starting a new thread. That way you can provide details specific to your setup, version, how you encountered the issue and any steps you have tried already. It will provide others more details to assist you.

question Re: Generate missing credential failed with constraint violation ERROR 19 in Support Questions

Generate missing credential failed with constraint violation ERROR 19

Re: Generate missing credential failed with constraint violation ERROR 19

Re: Generate missing credential failed with constraint violation ERROR 19

Re: Generate missing credential failed with constraint violation ERROR 19

Re: Generate missing credential failed with constraint violation ERROR 19