question Re: Kerberos:Error occured in generating credentials in Archives of Support Questions (Read Only)

Kerberos:Error occured in generating credentials

HDFS — Fri, 16 Sep 2022 09:12:24 GMT

Hi,

I was enabling kerberos from cloudera manager.

Everything worked fine but when it tried to do the step of "generating Credentials" it gave me an error.

Please find the error.

Any suggestions?

Waiting for the reply

/usr/share/cmf/bin/gen_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin
+ CMF_REALM=JNJ.COM
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf7829892990940630057.keytab
+ PRINC=impala/itsusmpl00509.jnj.com@JNJ.COM
+ MAX_RENEW_LIFE=432000
+ KADMIN='kadmin -k -t /var/run/cloudera-scm-server/cmf4619059661181081787.keytab -p cloudera-scm/admin@JNJ.COM -r JNJ.COM'
+ RENEW_ARG=
+ '[' 432000 -gt 0 ']'
+ RENEW_ARG='-maxrenewlife "432000 sec"'
+ kadmin -k -t /var/run/cloudera-scm-server/cmf4619059661181081787.keytab -p cloudera-scm/admin@JNJ.COM -r JNJ.COM -q 'addprinc -maxrenewlife "432000 sec" -randkey impala/itsusmpl00509.jnj.com@JNJ.COM'
WARNING: no policy specified for impala/itsusmpl00509.jnj.com@JNJ.COM; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "impala/itsusmpl00509.jnj.com@JNJ.COM".
+ '[' 432000 -gt 0 ']'
++ kadmin -k -t /var/run/cloudera-scm-server/cmf4619059661181081787.keytab -p cloudera-scm/admin@JNJ.COM -r JNJ.COM -q 'getprinc -terse impala/itsusmpl00509.jnj.com@JNJ.COM'
++ tail -1
++ cut -f 12
get_principal: Operation requires ``get'' privilege while retrieving "impala/itsusmpl00509.jnj.com@JNJ.COM".
+ RENEW_LIFETIME='Authenticating as principal cloudera-scm/admin@JNJ.COM with keytab /var/run/cloudera-scm-server/cmf4619059661181081787.keytab.'
+ '[' Authenticating as principal cloudera-scm/admin@JNJ.COM with keytab /var/run/cloudera-scm-server/cmf4619059661181081787.keytab. -eq 0 ']'
/usr/share/cmf/bin/gen_credentials.sh: line 28: [: too many arguments
+ kadmin -k -t /var/run/cloudera-scm-server/cmf4619059661181081787.keytab -p cloudera-scm/admin@JNJ.COM -r JNJ.COM -q 'xst -k /var/run/cloudera-scm-server/cmf7829892990940630057.keytab impala/itsusmpl00509.jnj.com@JNJ.COM'
kadmin: Operation requires ``change-password'' privilege while changing impala/itsusmpl00509.jnj.com@JNJ.COM's key
+ chmod 600 /var/run/cloudera-scm-server/cmf7829892990940630057.keytab
chmod: cannot access `/var/run/cloudera-scm-server/cmf7829892990940630057.keytab': No such file or directory

Re: Kerberos:Error occured in generating credentials

Grizzly — Tue, 11 Nov 2014 19:09:52 GMT

What version of Cloudera Manager are you using in the example you provided?

Re: Kerberos:Error occured in generating credentials

HDFS — Tue, 11 Nov 2014 19:12:25 GMT

the latest 5.2 version of cloudera is used

Re: Kerberos:Error occured in generating credentials

Grizzly — Tue, 11 Nov 2014 19:15:45 GMT

What KDC is in use? What OS and Release Version is the KDC running on?

Re: Kerberos:Error occured in generating credentials

Grizzly — Tue, 11 Nov 2014 19:18:10 GMT

Also, what is in your KDC's kadm5.acl file?

Re: Kerberos:Error occured in generating credentials

HDFS — Tue, 11 Nov 2014 19:37:08 GMT

Its KDC 5 running on rhel 6.3

and my kadm5.acl file has

admin@JNJ.COM

Re: Kerberos:Error occured in generating credentials

Grizzly — Tue, 11 Nov 2014 20:07:46 GMT

so realize the reason there was a */admin@REALM in the kadm5.acl file before you changed it... that generic entry was in there so that any principal that has a name that ends with /admin is granted administrative rights over the KDC database.

Your cloudera manager principal is named cloudera-scm/admin@JNJ.COM, but your acl file restricts admin to ONLY a user named "admin@JNJ.COM"

From the script output you gave, none of the commands are working through kadmin becase the CM server user has no rights.

Either update the kadm5.acl file to include */admin@JNJ.COM, or explicitly set and entry for the CM server scm-server/admin@JNJ.COM. At that point you should be able to configure cluster principals through CM in the KDC.

Todd

Re: Kerberos:Error occured in generating credentials

HDFS — Tue, 11 Nov 2014 20:15:05 GMT

My kadm5.acl is like this :-

*/admin@JNJ.COM*
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
"/var/kerberos/krb5kdc/kadm5.acl" 1L, 18C

So you are suggesting is to add cloudera-scm/admin@JNJ.COM too right?

Re: Kerberos:Error occured in generating credentials

Grizzly — Tue, 11 Nov 2014 20:36:00 GMT

You should not have to specifically add the CM principal, the */admin should handle it.

From what you pasted, I think you have a space missing between your COM and the "*" at the end of the first line; Mine looks like this:

[12:34 root@secsme-1 ~] > cat kadm5.acl
*/admin@COE.CLOUDERA.COM *

Re: Kerberos:Error occured in generating credentials

HDFS — Thu, 13 Nov 2014 17:40:42 GMT

I was able to reolve it.

The space should not be there between COM and * in kadm5.acl

Thanks !! 🙂

Re: Kerberos:Error occured in generating credentials

Grizzly — Thu, 13 Nov 2014 17:43:41 GMT

Just FYI, it should have a space

http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/kadm5_acl.html

Re: Kerberos:Error occured in generating credentials

HDFS — Thu, 13 Nov 2014 19:58:25 GMT

Yes ,It was a typo error, I meant the space should be there. 🙂

*/admin@My-Realm.COM *