Support Questions

hbashir · ‎01-03-2019

I am getting a server action failed error when ambari tries to create keytabs. I have no idea what is causing this error. I am using KDC admin to install the service. Please help. @Geoffrey Shelton Okot

Shelton · ‎01-16-2019

@huzaira bashir

There seems to be a mismatch between the Active Directory encryption type and the MIT encryption types can you align the 2 supported_enctypes to be the same.

Windows supports the below encryption types depending on the Windows version which are weak encryption

DES_CBC_CRC 
DES_CBC_MD5 
RC4_HMAC_MD5 
AES128_HMAC_SHA1 
AES256_HMAC_SHA1

In your kdc.conf you have stronger encryption types you validate the AD encryption types? Else try to comment out the kdc.conf encryptions see below

# supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

and see whether the error persists?

View solution in original post

rlevas · ‎01-16-2019

Interesting.... Actually I am not sure why `UNKNOWN:normal` is in there. Did you edit the encryption types in the configure Kerberos page, under Advanced kerberos-env? It should be `aes des3-cbc-sha1 rc4 des-cbc-md5`. Does your have a different value?

Shelton · ‎01-16-2019

@huzaira bashir

Can you share your krb5 and kdc conf files for analysis?

hbashir · ‎01-16-2019

@Geoffrey Shelton Okot

Find attached the 2 files

rlevas · ‎01-16-2019

One thing to note is that Ambari appears to not be managing the krb5.conf file. This is fine, but Hadoop does not support the KEYRING cache type. You need to change

 default_ccache_name = KEYRING:persistent:%{uid}

to

default_ccache_name = /tmp/krb5cc_%{uid}

Shelton · ‎01-16-2019

@huzaira bashir

There seems to be a mismatch between the Active Directory encryption type and the MIT encryption types can you align the 2 supported_enctypes to be the same.

Windows supports the below encryption types depending on the Windows version which are weak encryption

DES_CBC_CRC 
DES_CBC_MD5 
RC4_HMAC_MD5 
AES128_HMAC_SHA1 
AES256_HMAC_SHA1

In your kdc.conf you have stronger encryption types you validate the AD encryption types? Else try to comment out the kdc.conf encryptions see below

# supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal

and see whether the error persists?

mRabramS · ‎01-16-2019

This is to the point! I got the same error when tried changing the default Ambari suggested enctypes to my custom ones. The custom ones work fine though with MIT KDC, but apparantly not with Ambari.

hbashir · ‎01-17-2019

@Geoffrey Shelton Okot So hashing out the the line in kdc.conf was not enough to make the errors go away, but when I changed the default config in Ambari to only 2 encryption types and hashed out the default ticket encryptions as well. the error went away. Thanks for all your help.

Joshua_yao · ‎05-08-2021

thank you so much. I encountered same problem,but it solved after read your solution.

I also changed the default config in Ambari to only 2 encryption types and hashed out the default ticket encryptions as well, then error went away.

Cloudera Community

Support Questions

Ambari Fails to create Keytabs when Installing new services or when trying to regenerate keytabs of existing services

Manual Keytab / Principal creation for IPA to supp...

Fail to install new services using Ambari

Location of keytab files

Ambari API - Run all service checks (bulk)

re-create keytab for Spark

Kerberized HDP 2.5 kerberos Service Check fails wi...

How to configure existing hbase service to existi...

Ambari - No Service Action button for services.

How does Ambari create Principals and keytabs on A...

How to Implement custom service, add the service, ...