question Re: Kerberos Generate Credentials fails in Support Questions

Kerberos Generate Credentials fails

danielLP — Fri, 16 Sep 2022 09:29:50 GMT

Hi,

I'm trying to configure kerberos on a single user installation.

I've created the cloudera-scm/admin@MYREALM.COM and was able to kinit it manually but I keep falling at the Generate Credentials phase:

/usr/share/cmf/bin/gen_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin
+ CMF_REALM=MYREALM.COM
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf470480807619850998.keytab
+ PRINC=yarn/datanode003.domain.com@MYREALM.COM
+ MAX_RENEW_LIFE=604800
+ KADMIN='kadmin -k -t /var/run/cloudera-scm-server/cmf7525098316801008285.keytab -p cloudera-scm/admin@MYREALM.COM -r MYREALM.COM'
+ RENEW_ARG=
+ '[' 604800 -gt 0 ']'
+ RENEW_ARG='-maxrenewlife "604800 sec"'
+ '[' -z /var/run/cloudera-scm-server/krb58981110957643724339.conf ']'
+ echo 'Using custom config path '\''/var/run/cloudera-scm-server/krb58981110957643724339.conf'\'', contents below:'
+ cat /var/run/cloudera-scm-server/krb58981110957643724339.conf
+ kadmin -k -t /var/run/cloudera-scm-server/cmf7525098316801008285.keytab -p cloudera-scm/admin@MYREALM.COM -r MYREALM.COM -q 'addprinc -maxrenewlife "604800 sec" -randkey yarn/datanode003.domain.com@MYREALM.COM'
WARNING: no policy specified for yarn/datanode003.domain.com@MYREALM.COM; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "yarn/datanode003.domain.com@MYREALM.COM".
+ '[' 604800 -gt 0 ']'
++ kadmin -k -t /var/run/cloudera-scm-server/cmf7525098316801008285.keytab -p cloudera-scm/admin@MYREALM.COM -r MYREALM.COM -q 'getprinc -terse yarn/datanode003.domain.com@MYREALM.COM'
++ tail -1
++ cut -f 12
get_principal: Operation requires ``get'' privilege while retrieving "yarn/datanode003.domain.com@MYREALM.COM".
+ RENEW_LIFETIME='Authenticating as principal cloudera-scm/admin@MYREALM.COM with keytab /var/run/cloudera-scm-server/cmf7525098316801008285.keytab.'
+ '[' Authenticating as principal cloudera-scm/admin@MYREALM.COM with keytab /var/run/cloudera-scm-server/cmf7525098316801008285.keytab. -eq 0 ']'
/usr/share/cmf/bin/gen_credentials.sh: line 35: [: too many arguments
+ kadmin -k -t /var/run/cloudera-scm-server/cmf7525098316801008285.keytab -p cloudera-scm/admin@MYREALM.COM -r MYREALM.COM -q 'xst -k /var/run/cloudera-scm-server/cmf470480807619850998.keytab yarn/datanode003.domain.com@MYREALM.COM'
kadmin: Operation requires ``change-password'' privilege while changing yarn/avpr-dhc003.lpdomain.com@MYREALM.COM's key
+ chmod 600 /var/run/cloudera-scm-server/cmf470480807619850998.keytab
chmod: cannot access `/var/run/cloudera-scm-server/cmf470480807619850998.keytab': No such file or directory

Thanks,

Daniel

Re: Kerberos Generate Credentials fails

danielLP — Sat, 23 May 2015 09:06:08 GMT

Anyone ?😐

Re: Kerberos Generate Credentials fails

Grizzly — Sat, 23 May 2015 11:48:24 GMT

So as you read through the error message, (the middle here being signficant) this line appears to be indicating at least part of the problem, as well as the others like it, that follow.

add_principal: Operation requires ``add'' privilege while creating "yarn/datanode003.domain.com@MYREALM.COM".

You would want to review your /var/kerberos/krb5kdc/kadmin5.acl file. Verify if the name pattern you are using for the CM administrator will properly resolve to an administrative account.

Re: Kerberos Generate Credentials fails

danielLP — Mon, 25 May 2015 10:58:43 GMT

Hi,
The problem was indeed the kadm5.acl file where I had a typo in the realm name.

Thank you!

Re: Kerberos Generate Credentials fails

zhuw.bigdata — Mon, 05 Dec 2016 20:44:56 GMT

There are a few files to change for realm renaming.

Re: Kerberos Generate Credentials fails

techfriend — Mon, 24 Sep 2018 05:33:10 GMT

Hi all,

when enable Kerberos on new cluster after restart the failed installation got the error message

Generate Missing Credentials Command

Re: Kerberos Generate Credentials fails

Kartik_Agarwal — Tue, 10 Jan 2023 13:30:23 GMT

@techfriend this can be resolved after modifiying the principle.

WARNING: no policy specified for mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU; defaulting to no policy
add_principal: Principal or policy already exists while creating "mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU".
+ '[' 604800 -gt 0 ']'
++ kadmin -k -t /var/run/cloudera-scm-server/cmf5922922234613877041.keytab -p cloudera-scm/admin@HADM.RU -r HADM.RU -q 'getprinc -terse mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU'
++ tail -1
++ cut -f 12
+ RENEW_LIFETIME=0
+ '[' 0 -eq 0 ']'
+ echo 'Unable to set maxrenewlife'
+ exit 1

kadmin.local

modprinc -maxrenewlife 90day +allow_renewable mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU

Kerberos Generate Credentials fails

Kartik_Agarwal — Tue, 17 Jan 2023 07:44:40 GMT

@techfriend this can be resolved after modifiying the principle.

WARNING: no policy specified for mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU; defaulting to no policy
add_principal: Principal or policy already exists while creating "mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU".
+ '[' 604800 -gt 0 ']'
++ kadmin -k -t /var/run/cloudera-scm-server/cmf5922922234613877041.keytab -p cloudera-scm/admin@HADM.RU -r HADM.RU -q 'getprinc -terse mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU'
++ tail -1
++ cut -f 12
+ RENEW_LIFETIME=0
+ '[' 0 -eq 0 ']'
+ echo 'Unable to set maxrenewlife'
+ exit 1

modprinc -maxrenewlife 90day +allow_renewable mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU