Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

CM upgrade - stale Kerberos configuration

Labels:
avatar
author-rank Tomas79
Guru

Created ‎01-05-2018 07:23 AM

Hi,

 after an upgrade from CM 5.11 to 5.13 the Cloudera Manager complains with a red excl mark: Cluster has stale Kerberos client configuration.

 

The cluster was all in green before upgrade and had no problem with kerberos configs (/etc/krb5.conf).

 

What is more concerning, that after opening this warning, three (gateway) nodes does not require upgrade, but the rest of them does:

 

Consider stopping roles on these hosts to ensure that they are updated by this command:
ip-10-197-13-169.eu-west-1.compute.internal; ip-10-197-15-82.eu-west-1.compute.internal; ip-10-197-18-[113, 248].eu-west-1.compute.internal...

 

 

But the command is not there. What should I do? Stop the whole CDH and then rerun the deploy?

 

Thanks for the advise,

T.

 

4,643 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank bgooley author-rank
Master Guru

Created ‎01-07-2018 12:26 PM

@Tomas79,

 

The Cluster has stale Kerberos client configuration message indicates that there was some configuration change in Cloudera Manager to your Kerberos configuration that resulted in a change to the managed krb5.conf file.

 

I am not sure what the upgrade may have done, but it would be worth checking your Cloudera Manager configuration to see.

Try going to Administration --> Settings and then click the History and Rollback link.

 

See if there were any recent changes to your kerberos configuration.

 

If you don't find anything conclusive, the following should clear this up:

- stop CDH and Cloudera Management Service

- copy aside one of your existing /etc/krb5.conf files (for later comparison)

- From the cluster drop-down in the Cloudera Manager home page, choose Deploy Kerberos Client Configuration and deploy

- After the deploy is complete, start Cloudera Management Service and CDH

 

If the issue still occurs, let us know.

You may also want to compare the previous and new /etc/krb5.conf files to see if there are difference.

 

Not sure what happened to cause this situation, but the steps should help (as you suggested).

View solution in original post

4,612 Views
0
3 REPLIES 3

avatar
author-rank bgooley author-rank
Master Guru

Created ‎01-07-2018 12:26 PM

@Tomas79,

 

The Cluster has stale Kerberos client configuration message indicates that there was some configuration change in Cloudera Manager to your Kerberos configuration that resulted in a change to the managed krb5.conf file.

 

I am not sure what the upgrade may have done, but it would be worth checking your Cloudera Manager configuration to see.

Try going to Administration --> Settings and then click the History and Rollback link.

 

See if there were any recent changes to your kerberos configuration.

 

If you don't find anything conclusive, the following should clear this up:

- stop CDH and Cloudera Management Service

- copy aside one of your existing /etc/krb5.conf files (for later comparison)

- From the cluster drop-down in the Cloudera Manager home page, choose Deploy Kerberos Client Configuration and deploy

- After the deploy is complete, start Cloudera Management Service and CDH

 

If the issue still occurs, let us know.

You may also want to compare the previous and new /etc/krb5.conf files to see if there are difference.

 

Not sure what happened to cause this situation, but the steps should help (as you suggested).

4,613 Views
0

avatar
author-rank Tomas79
Guru

Created ‎01-10-2018 09:15 AM

I stopped CDH and did a Kerberos configuration redeploy.

The /etc/krb5.conf is more or less the same.

The only difference is the last line "[domain_realm], it was added by the CM.

 

After the redeploy the CDH started and now everything is in green

Thanks

Tomas

 

[libdefaults]
default_realm = MYREALM.LOCAL
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = aes256-cts aes128-cts
default_tkt_enctypes = aes256-cts aes128-cts
permitted_enctypes = aes256-cts aes128-cts
udp_preference_limit = 1
kdc_timeout = 3000
[realms]
MYREALM.LOCAL = {
kdc = 10.197.16.197 10.197.16.88
admin_server = 10.197.16.197 10.197.16.88
}
[domain_realm]

 

4,597 Views
0 Kudos

avatar
author-rank ThriftTran
New Contributor

Created ‎06-10-2020 02:42 AM

I was not stoping cdh and cloudera management services  and deploying Kerberos configurations.

 

 

Now I stopped cdh and cloudera management services and deploying Kerberos configurations.
It worked for me and /etc/krb5.conf is updated for all hosts in cluster.

 

This issue resolved.

Thanks.

 

3,035 Views
0 Kudos
Announcements
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements