Reply
Cloudera Employee
Posts: 276
Registered: ‎07-08-2013

Re: Enabling Keberos for cluster fails when importing KDC account manager

[ Edited ]

Hi Sandy,

 

 

 

+ ktutil
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e aes256-cts:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e aes128-cts:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des3-hmac-sha1:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des-hmac-sha1:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des-cbc-crc:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ echo 'wkt /var/run/cloudera-scm-server/cmf8091152271730902012.keytab'
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
+ chmod 600 /var/run/cloudera-scm-server/cmf8091152271730902012.keytab
chmod: cannot access `/var/run/cloudera-scm-server/cmf8091152271730902012.keytab': No such file or directory

 

Base on the above information, I've noticed that you have set the encryption in 

CM UI> Administration> Setting> Kerberos> "Kerberos Encryption Types" as 

- aes256-cts:normal

- aes128-cts:normal

- des3-hmac-sha1:normal

- des-hmac-sha1:normal

- des-cbc-crc:normal

 

The error I see is that while ktutil executed the command addent it failed with "Bad encryption type while adding new entry"

 

Therefore, ktutil failed to set -e encryption_type for all 5 encryption types you've specified, so there was nothing to be written into a keytab (wkt keytab) see: 'wkt /var/run/cloudera-scm-server/cmf8091152271730902012.keytab'

 

 

 

The encryption type combination you've specified is valid for kadmin/kadmin.local tool where the -e parameter can be specified as encryption:salt, but it is not valid for ktutil -e encryption_type

 

Since CM script is using ktutil you may need to remove the salt suffixed ':normal'.

The salt :normal is default for Kerberos Version 5, you only need to set the encryption type [0] in 

CM UI> Administration> Setting> Kerberos> "Kerberos Encryption Types"

 

Encryption Type

- aes256-cts

- aes128-cts

- des3-hmac-sha1

- des-hmac-sha1

- des-cbc-crc

 

Let me know if this helps,

 

Michalis

 

[0] https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/kdc_conf.html#encryption-types

Note: A feature request OPSAPS-29768 is in progress to not allow manual entry in "Kerberos Encryption Types"

Explorer
Posts: 19
Registered: ‎07-24-2017

Re: Enabling Keberos for cluster fails when importing KDC account manager

@Michalis

I removed the salt :normal while enabling kerberos using cloudera manager and it imported the kdc successfully..  

 

Thanks @bgooley and @Michalis  for the support and helping me to solve this tricky one.  

 

 

Announcements