Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

CDH 5 Sentry Service setup kerberos PREAUTH_FAILED Error

avatar
author-rank alpertankut
Contributor

Created on ‎09-25-2017 07:50 AM - edited ‎09-16-2022 05:17 AM

During my sentry installation, I have faced an issue that gave me big flag on CDH manager.

on step 5, Sentry principal keytab is failing to authenticate. 

My guess is, someone changed (or deleted and recrated) the sentry principal and CDH manager is sending a different keytab everytime I try to set the server. 

I have searched the sentry keytab file on server and I see that CDH mngr creates different keytab file with different attemp number extention everytime send a request(everytime I try to set up) 

1. where is the keytab file that CDH mngr keeps and sends for sentry authentication?

2. Do I have to uninstall and reinstall kerberos to get the sentry principal correctly setup? I have tried every possible way and this is the only one left.

3. Why is CDH mngr is set up like this?

 

This is a decision point in our company to choose best Hadoop Distro enterprice version and we already have a glitch when we were enable Kerberos in CDH

 

Here is the Error log:

JAVA_HOME=/usr/java/jdk1.7.0_67-cloudera
using /usr/java/jdk1.7.0_67-cloudera as JAVA_HOME
using 5 as CDH_VERSION
Debug is true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /var/run/cloudera-scm-agent/process/1625-sentry-SENTRY_SERVER/sentry.keytab refreshKrb5Config is true principal is sentry/********.********.dev@********.DEV tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Acquire TGT from Cache
Principal is sentry/********.********.dev@********.DEV
null credentials from Ticket Cache
[Krb5LoginModule] authentication failed
Integrity check on decrypted field failed (31) - PREAUTH_FAILED
Mon Sep 25 08:47:18 EDT 2017
JAVA_HOME=/usr/java/jdk1.7.0_67-cloudera
using /usr/java/jdk1.7.0_67-cloudera as JAVA_HOME
using 5 as CDH_VERSION
Debug is true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /var/run/cloudera-scm-agent/process/1625-sentry-SENTRY_SERVER/sentry.keytab refreshKrb5Config is true principal is sentry/********.********.dev@********.DEV tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Acquire TGT from Cache
Principal is sentry/********.********.dev@********.DEV
null credentials from Ticket Cache
[Krb5LoginModule] authentication failed
Integrity check on decrypted field failed (31) - PREAUTH_FAILED

3,861 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank alpertankut
Contributor

Created ‎09-25-2017 02:37 PM

This issue is solved by recreating the credentials!

View solution in original post

3,840 Views
0 Kudos
0
2 REPLIES 2

avatar
author-rank alpertankut
Contributor

Created ‎09-25-2017 02:37 PM

This issue is solved by recreating the credentials!

3,841 Views
0 Kudos
0

avatar
author-rank wallace-x
Explorer

Created ‎11-10-2019 07:32 AM

Are there steps?

2,149 Views
0 Kudos
Announcements
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements