Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.

Import KDC Account Manager Credentials Command failed

avatar
Explorer

I'm attempting to install CDH 5.9 and enable Kerberos but am getting the following error when going through the Kerberos wizard.

 

/usr/share/cmf/bin/import_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf4852346331449807753.keytab
+ USER=cloudera-scm/[email protected]
+ PASSWD=REDACTED
+ KVNO=1
+ SLEEP=0
+ RHEL_FILE=/etc/redhat-release
+ '[' -f /etc/redhat-release ']'
+ set +e
+ grep Tikanga /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'CentOS release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'Scientific Linux release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ set -e
+ '[' -z /etc/krb5.conf ']'
+ echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:'
+ cat /etc/krb5.conf
+ IFS=' '
+ read -a ENC_ARR
+ for ENC in '"${ENC_ARR[@]}"'
+ ktutil
+ echo 'addent -REDACTED -p cloudera-scm/[email protected] -k 1 -e rc4-hmac'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ echo 'wkt /var/run/cloudera-scm-server/cmf4852346331449807753.keytab'
+ chmod 600 /var/run/cloudera-scm-server/cmf4852346331449807753.keytab
+ kinit -k -t /var/run/cloudera-scm-server/cmf4852346331449807753.keytab cloudera-scm/[email protected]
kinit: Generic preauthentication failure while getting initial credentials

>>

The principal cloudera-scm/[email protected] works fine when I do this on the CM Host.

 

$ kinit cloudera-scm/[email protected]
Password for cloudera-scm/[email protected]:

$ klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: cloudera-scm/[email protected]

Valid starting     Expires            Service principal
12/14/16 09:30:07  12/14/16 09:40:07  krbtgt/[email protected]
	renew until 12/21/16 09:30:05, Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1
1 ACCEPTED SOLUTION

avatar
Explorer

I worked around this by using this enctype in the wizard.

 

default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac

 

 

Curiously I had rc4-hmac in my /etc/krb5.conf and also on the KDC server but for whatever reason it didn't seem to be working. Switching to the above encryption type solved my issue with the wizard.

View solution in original post

1 REPLY 1

avatar
Explorer

I worked around this by using this enctype in the wizard.

 

default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac

 

 

Curiously I had rc4-hmac in my /etc/krb5.conf and also on the KDC server but for whatever reason it didn't seem to be working. Switching to the above encryption type solved my issue with the wizard.