Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

CDH 5 Sentry Service setup kerberos PREAUTH_FAILED Error

avatar
author-rank alpertankut
Contributor

Created on ‎09-25-2017 07:50 AM - edited ‎09-16-2022 05:17 AM

During my sentry installation, I have faced an issue that gave me big flag on CDH manager.

on step 5, Sentry principal keytab is failing to authenticate. 

My guess is, someone changed (or deleted and recrated) the sentry principal and CDH manager is sending a different keytab everytime I try to set the server. 

I have searched the sentry keytab file on server and I see that CDH mngr creates different keytab file with different attemp number extention everytime send a request(everytime I try to set up) 

1. where is the keytab file that CDH mngr keeps and sends for sentry authentication?

2. Do I have to uninstall and reinstall kerberos to get the sentry principal correctly setup? I have tried every possible way and this is the only one left.

3. Why is CDH mngr is set up like this?

 

This is a decision point in our company to choose best Hadoop Distro enterprice version and we already have a glitch when we were enable Kerberos in CDH

 

Here is the Error log:

JAVA_HOME=/usr/java/jdk1.7.0_67-cloudera
using /usr/java/jdk1.7.0_67-cloudera as JAVA_HOME
using 5 as CDH_VERSION
Debug is true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /var/run/cloudera-scm-agent/process/1625-sentry-SENTRY_SERVER/sentry.keytab refreshKrb5Config is true principal is sentry/********.********.dev@********.DEV tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Acquire TGT from Cache
Principal is sentry/********.********.dev@********.DEV
null credentials from Ticket Cache
[Krb5LoginModule] authentication failed
Integrity check on decrypted field failed (31) - PREAUTH_FAILED
Mon Sep 25 08:47:18 EDT 2017
JAVA_HOME=/usr/java/jdk1.7.0_67-cloudera
using /usr/java/jdk1.7.0_67-cloudera as JAVA_HOME
using 5 as CDH_VERSION
Debug is true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /var/run/cloudera-scm-agent/process/1625-sentry-SENTRY_SERVER/sentry.keytab refreshKrb5Config is true principal is sentry/********.********.dev@********.DEV tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Acquire TGT from Cache
Principal is sentry/********.********.dev@********.DEV
null credentials from Ticket Cache
[Krb5LoginModule] authentication failed
Integrity check on decrypted field failed (31) - PREAUTH_FAILED

3,724 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank alpertankut
Contributor

Created ‎09-25-2017 02:37 PM

This issue is solved by recreating the credentials!

View solution in original post

3,703 Views
0 Kudos
2 REPLIES 2

avatar
author-rank alpertankut
Contributor

Created ‎09-25-2017 02:37 PM

This issue is solved by recreating the credentials!

3,704 Views
0 Kudos

avatar
author-rank wallace-x
Explorer

Created ‎11-10-2019 07:32 AM

Are there steps?

2,012 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements