- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Float this Question for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Cloudera 5.16.1 Kerberos Import Credentials Script Failing with Active Directory
- Labels:
-
Cloudera Manager
-
Kerberos
Created on
‎03-05-2020
02:25 AM
- last edited on
‎03-05-2020
07:06 AM
by
VidyaSargur
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm running Cloudera 5.16.1 on CentOS 7 and OpenJDK8
I enabled TLS/SSL on the Cloudera Manager (level 1 - level3) with Self-Signed certificate and then moved to enable Kerberos with AD.
I followed the docs but enabling Kerberos is failing when trying to import credentials.
/usr/share/cmf/bin/import_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf1018223695564634823.keytab
+ USER=cdhadmin@<XXXXX>.COM
+ PASSWD=REDACTED
+ KVNO=1
+ SLEEP=0
+ RHEL_FILE=/etc/redhat-release
+ '[' -f /etc/redhat-release ']'
+ set +e
+ grep Tikanga /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'CentOS release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'Scientific Linux release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ set -e
+ '[' -z /var/run/cloudera-scm-server/krb51430682016564011407.conf ']'
+ echo 'Using custom config path '\''/var/run/cloudera-scm-server/krb51430682016564011407.conf'\'', contents below:'
+ cat /var/run/cloudera-scm-server/krb51430682016564011407.conf
+ IFS=' '
+ read -a ENC_ARR
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cdhadmin@<XXXXX>.COM -k 1 -e rc4-hmac'
+ ktutil
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ echo 'wkt /var/run/cloudera-scm-server/cmf1018223695564634823.keytab'
+ chmod 600 /var/run/cloudera-scm-server/cmf1018223695564634823.keytab
+ kinit -k -t /var/run/cloudera-scm-server/cmf1018223695564634823.keytab cdhadmin@<XXXXX>.COM
+ '[' true '!=' true ']'
++ mktemp /tmp/cm_ldap.XXXXXXXX
+ LDAP_CONF=/tmp/cm_ldap.lZPuleq0
+ echo 'TLS_REQCERT never'
+ echo 'sasl_secprops minssf=0,maxssf=0'
+ export LDAPCONF=/tmp/cm_ldap.lZPuleq0
+ LDAPCONF=/tmp/cm_ldap.lZPuleq0
+ set +e
+ ldapsearch -LLL -H ldaps://<xxxxx>.<xxxxx>.com:636 -b OU=cdh-kerberos,OU=CDH,DC=<xxxxx>,DC=com userPrincipalName=cdhadmin@<XXXXX>.COM
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
+ '[' 255 -ne 0 ']'
+ echo 'ldapsearch did not work with SASL authentication. Trying with simple authentication'
+ ldapsearch -LLL -H ldaps://<xxxxx>.<xxxxx>.com:636 -b OU=cdh-kerberos,OU=CDH,DC=<xxxxx>,DC=com -x -D cdhadmin@<XXXXX>.COM -w REDACTED userPrincipalName=cdhadmin@<XXXXX>.COM
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
+ '[' 255 -ne 0 ']'
+ echo 'Failed to do ldapsearch.'
+ echo 'Please make sure Active Directory configuration is correctly specified and LDAP over SSL is enabled.'
+ exit 1
I verified that LDAPS is enabled for Active Directory and verified all settings again but could not solve the issue.
I ran the below command manually on the cloudera server and it worked fine (got output):
ldapsearch -LLL -H ldaps://<xxxxx>.<xxxxx>.com:636 -b OU=cdh-kerberos,OU=CDH,DC=<xxxxx>,DC=com -x -D cdhadmin@<XXXXX>.COM -w <PASSWORD>
One thing I should mention is that I did not edit the krb5.conf file and checked the box Manage krb5.conf through Cloudera Manager in the settings.
Please assist / advise.
Created ‎03-11-2020 10:09 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for your reply.
After investigating the issue I found that command (ldapsearch) failed because user cloudera-scm does not have the proper permissions.
So as a work around I added sudo before ldap commands in the following scripts:
/usr/share/cmf/bin/import_credentials.sh
/usr/share/cmf/bin/gen_credentials_ad.sh
and then everything worked fine.
Created ‎03-05-2020 10:27 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@khjomaa The error message is complaining about the LDAP(S) issue, though as you said you already tried the below command and this worked.
ldapsearch -LLL -H ldaps://<xxxxx>.<xxxxx>.com:636 -b OU=cdh-kerberos,OU=CDH,DC=<xxxxx>,DC=com -x -D cdhadmin@<XXXXX>.COM -w <PASSWORD>
I would like to ask the output of below command form CM server host which will give you a clear picture of LDAP over SSL is enabled from AD side or not. If openssl shows no peer certificate is returned. This indicates that the port is NOT listening via TLS:
# openssl s_client -showcerts -connect <xxxxx>.<xxxxx>.com:636
Also for the Manage krb5.conf through Cloudera Manager it will be good to enable it if you want to manage krb5.conf file without any intervention and smoothly.
Cheers,
Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Created ‎03-11-2020 10:09 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for your reply.
After investigating the issue I found that command (ldapsearch) failed because user cloudera-scm does not have the proper permissions.
So as a work around I added sudo before ldap commands in the following scripts:
/usr/share/cmf/bin/import_credentials.sh
/usr/share/cmf/bin/gen_credentials_ad.sh
and then everything worked fine.
Created ‎03-16-2020 04:35 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cheers,
Thanks for contributing in Cloudera Community.
Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
