Created 12-14-2016 06:31 AM
I'm attempting to install CDH 5.9 and enable Kerberos but am getting the following error when going through the Kerberos wizard.
/usr/share/cmf/bin/import_credentials.sh failed with exit code 1 and output of << + export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin + PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin + KEYTAB_OUT=/var/run/cloudera-scm-server/cmf4852346331449807753.keytab + USER=cloudera-scm/[email protected] + PASSWD=REDACTED + KVNO=1 + SLEEP=0 + RHEL_FILE=/etc/redhat-release + '[' -f /etc/redhat-release ']' + set +e + grep Tikanga /etc/redhat-release + '[' 1 -eq 0 ']' + '[' 0 -eq 0 ']' + grep 'CentOS release 5' /etc/redhat-release + '[' 1 -eq 0 ']' + '[' 0 -eq 0 ']' + grep 'Scientific Linux release 5' /etc/redhat-release + '[' 1 -eq 0 ']' + set -e + '[' -z /etc/krb5.conf ']' + echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:' + cat /etc/krb5.conf + IFS=' ' + read -a ENC_ARR + for ENC in '"${ENC_ARR[@]}"' + ktutil + echo 'addent -REDACTED -p cloudera-scm/[email protected] -k 1 -e rc4-hmac' + '[' 0 -eq 1 ']' + echo REDACTED + echo 'wkt /var/run/cloudera-scm-server/cmf4852346331449807753.keytab' + chmod 600 /var/run/cloudera-scm-server/cmf4852346331449807753.keytab + kinit -k -t /var/run/cloudera-scm-server/cmf4852346331449807753.keytab cloudera-scm/[email protected] kinit: Generic preauthentication failure while getting initial credentials >>
The principal cloudera-scm/[email protected] works fine when I do this on the CM Host.
$ kinit cloudera-scm/[email protected] Password for cloudera-scm/[email protected]: $ klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: cloudera-scm/[email protected] Valid starting Expires Service principal 12/14/16 09:30:07 12/14/16 09:40:07 krbtgt/[email protected] renew until 12/21/16 09:30:05, Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1
Created on 12-14-2016 10:27 AM - edited 12-14-2016 10:28 AM
I worked around this by using this enctype in the wizard.
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac
Curiously I had rc4-hmac in my /etc/krb5.conf and also on the KDC server but for whatever reason it didn't seem to be working. Switching to the above encryption type solved my issue with the wizard.
Created on 12-14-2016 10:27 AM - edited 12-14-2016 10:28 AM
I worked around this by using this enctype in the wizard.
default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac
Curiously I had rc4-hmac in my /etc/krb5.conf and also on the KDC server but for whatever reason it didn't seem to be working. Switching to the above encryption type solved my issue with the wizard.