Cloudera Community

Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.
Solved Go to solution

Why is kinit with a headless keytab failing?

Labels:
avatar
author-rank TerryP author-rank
Super Collaborator

Created on ‎10-29-2015 08:29 PM - edited ‎09-16-2022 02:47 AM

The commands being ran are below. Both fail.

[root@host1 ~]# sudo -u hdfs /usr/bin/kinit -k -t /etc/security/keytabs/hdfs.headless.keytab hdfs/host1.prod.myclient.com@CORP.DS.MYCLIENT.COM
kinit: Keytab contains no suitable keys for hdfs/host1.prod.myclient.com@CORP.DS.MYCLIENT.COM while getting initial credentials

and 

[user1@host2.prod /var/www/html]$ sudo -u hdfs /usr/bin/kinit -k -t /etc/security/keytabs/hdfs.headless.keytab
kinit: Client not found in Kerberos database while getting initial credentials
51,033 Views
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎10-29-2015 08:35 PM

You are using the wrong principal name for that keytab file. To see what keytab entries in that keytab file, use klist

klist -kte /etc/security/keytabs/hdfs.headless.keytab

This will list out the contents of the keytab file. There will be 1 or more lines indicating details about each keytab entry. The 2nd-to-last column will show the principal name for each entry. The last column will show the encryption algorithm used to create the keytab entry.

View solution in original post

25,882 Views
2 REPLIES 2

avatar
author-rank rlevas
Guru

Created ‎10-29-2015 08:35 PM

You are using the wrong principal name for that keytab file. To see what keytab entries in that keytab file, use klist

klist -kte /etc/security/keytabs/hdfs.headless.keytab

This will list out the contents of the keytab file. There will be 1 or more lines indicating details about each keytab entry. The 2nd-to-last column will show the principal name for each entry. The last column will show the encryption algorithm used to create the keytab entry.

25,883 Views

avatar
author-rank jstraub
Guru

Created ‎10-29-2015 08:38 PM

Hi Terry,

in a secured cluster you have two types of keytabs or principals.

Headless and Service principals.

Headless principals are not bound to a specific host or node, they have the syntax: <service_name>-<clustername>@EXAMPLE.COM

Service princiapsl are bound to a specific service and host or node, they have the syntax: <service-name>/<hostname>@EXAMPLE.COM

For Example:

Headless: hdfs-mycluster@EXAMPLE.COM
Service: nn/c6601.ambari.apache.org@EXAMPLE.COM

Here is some more info https://docs.oracle.com/cd/E21455_01/common/tutorials/kerberos_principal.html

Make sure you use the right principal when you use kinit, you can see the principals of a keytab with

klist -k <keytab file>
25,882 Views
Announcements
What's New @ Cloudera
Cloudera Real time Monitoring for 7.1.9+ and 7.2.18+ with Cl...
What's New @ Cloudera
Announcing Cloudera Streaming Analytics 1.17: Python UDFs, S...
Community Announcements
Content Update: Evolving Our Community Content for Better, A...
Community Announcements
Product Name Updates — Community Label Changes & Notificatio...
What's New @ Cloudera
Announcing Cloudera Data Lineage for Trino
View More Announcements