Reply
Explorer
Posts: 19
Registered: ‎12-02-2014

Unable to create Kerberos Credentials with Cloudera Custom Retrieval Script

[ Edited ]

Hello Community,

 

We just migrated hour Hadoop nodes to Redhat Identity Management (RHIM) recently. Now, we want to enable Kerberos on our CDH5.5 with Redhat IPA by using Cloudera custom script to create all pricipals and distribute keytabs accordingly. The script is located on /etc/cloudera-scm-server on CM host and owned by cloudera-scm user. Here is the error log message:

=======

2016-11-17 11:29:51,736 ERROR GenerateCredentials-0:com.cloudera.cmf.security.GenerateCredentialsCommand: unable to create credential for role 68 due to:/etc/cloudera-scm-server/gen_credentials_ipa.sh failed with exit code 1 and output of <<

SASL Bind failed Can't contact LDAP server (-1) !

======

 

What are we missing on OS and CDH configuration point of view?

 

Thanks,

Silaphet

 

 

 

Posts: 60
Topics: 0
Kudos: 14
Blog Posts: 0
Ideas: 0
Solutions: 6
Registered: ‎11-26-2015

Re: Unable to create Kerberos Credentials with Cloudera Custom Retrieval Script

Hello Silaphet,

 

Could you please share with us the ldapsearch command what you are using in your script? Please try to use the fully qualified server name and '-Y GSSAPI' with ldapsearch.

 

Gabor

Explorer
Posts: 19
Registered: ‎12-02-2014

Re: Unable to create Kerberos Credentials with Cloudera Custom Retrieval Script

Hi Gabor,

 

We made a typo with Custom Script. We were able to get all principals created in the RHIM. Now, new issue is we can't start CDH because we can't locate KDC. Currently, all dns lookups are disabled.

Here is example of zookeeper.

 

 

 

Nov 21, 1:07:37.468 PMERRORorg.apache.zookeeper.server.quorum.QuorumPeerMain

Unexpected exception, exiting abnormally

java.io.IOException: Could not configure server because SASL configuration did not allow the  ZooKeeper server to authenticate itself properly: javax.security.auth.login.LoginException: Cannot locate KDC

at org.apache.zookeeper.server.ServerCnxnFactory.configureSaslLogin(ServerCnxnFactory.java:207)

at org.apache.zookeeper.server.NIOServerCnxnFactory.configure(NIOServerCnxnFactory.java:87)

at org.apache.zookeeper.server.quorum.QuorumPeerMain.runFromConfig(QuorumPeerMain.java:135)

at org.apache.zookeeper.server.quorum.QuorumPeerMain.initializeAndRun(QuorumPeerMain.java:116)

at org.apache.zookeeper.server.quorum.QuorumPeerMain.main(QuorumPeerMain.java:79)

 

Do you happen to have any suggestions where to check?

 

 

Thanks,

Silaphet

Posts: 60
Topics: 0
Kudos: 14
Blog Posts: 0
Ideas: 0
Solutions: 6
Registered: ‎11-26-2015

Re: Unable to create Kerberos Credentials with Cloudera Custom Retrieval Script

Hello,

 

Please check the kerberos configuration files.

 

Example /etc/krb5.conf:

 

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
EXAMPLE.COM = {
kdc = kdc1.example.com:88
admin_server = kdc1.example.com:749
default_domain = example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

 

Example KDC configuration file /var/kerberos/krb5kdc/kdc.conf

 

[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88

[realms]
EXAMPLE.COM = {
max_renewable_life = 7d 0h 0m 0s
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
default_principal_flags = +renewable
}

 

Gabor

Explorer
Posts: 19
Registered: ‎12-02-2014

Re: Unable to create Kerberos Credentials with Cloudera Custom Retrieval Script

Hi, 

 

After correcting a few parameters on configuration files and we were able to address the issue.

 

Another quick question, is there any info avaialble step by step on disabling Kerberos? We wanted to remove MIT kerberos then enable it with Redhat IPA.

 

Thanks,

Silaphet

Posts: 60
Topics: 0
Kudos: 14
Blog Posts: 0
Ideas: 0
Solutions: 6
Registered: ‎11-26-2015

Re: Unable to create Kerberos Credentials with Cloudera Custom Retrieval Script

Explorer
Posts: 19
Registered: ‎12-02-2014

Re: Unable to create Kerberos Credentials with Cloudera Custom Retrieval Script

Hi,

 

Sorry for the delay response. Currently, kerberos is using CLOUDERA Realm and all serices are using principals from local KDC. The goal is to generate new pricipals from IPA and have all services using new principals. Also, we want to replace current realm with new realm from IPA. 

 

What is correct step process of this migration work?

 

Thanks,

Silaphet