Support Questions
Find answers, ask questions, and share your expertise

Cloudera Manager Kerberos Wizard Generated Active Directory accounts not working

Highlighted

Cloudera Manager Kerberos Wizard Generated Active Directory accounts not working

New Contributor

Hi

 

I was able to run through the wizzard to configure kerberos on my cluster. I can see a bunch of accounts on AD created by the wizzard but none seem to work. 

 

org.apache.hadoop.security.KerberosAuthException: Login failure for user: hdfs/xxxx-dev-cdh-dn1.domain.net@DOMAIN.NET from keytab hdfs.keytab javax.security.auth.login.LoginException: Unable to obtain password from user

I can login to Cloudera Manager fine with the AD users. But when I try to check the hdfs user Cloudera created in AD with the keytab it does not work. I can't find anything in your documentation that speak to this issue. Do I need to go update the password in AD and generate new keyfile or something? 

 

Kint with user and keytab works!


[root@xx-dev-cdh-dn0 praelexis]# kinit -kt /var/run/cloudera-scm-agent/process/343-hdfs-DATANODE/hdfs.keytab hdfs/xx-dev-cdh-dn0.clientinsights.capinet

 klist -e

Default principal: hdfs/xx-dev-cdh-dn0.clientinsights.capinet@CLIENTINSIGHTS.CAPINET

Valid starting Expires Service principal
11/10/17 10:14:19 11/10/17 20:14:19 krbtgt/CLIENTINSIGHTS.CAPINET@CLIENTINSIGHTS.CAPINET
renew until 11/17/17 10:14:19, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

 

kinit cloud_admin (User Manager Account)
Password for cloud_admin@DOMAIN.NET:
[root@xx-dev-cdh-dn1 praelexis]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: cloud_admin@DOMAIN.NET

Valid starting Expires Service principal
11/10/17 09:49:49 11/10/17 19:49:52 krbtgt/DOMAIN.NET@DOMAIN.NET
renew until 11/17/17 09:49:49, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

 

Also works

 

I can login to my Linux Nodes with normal AD accounts fine. 

 

Any help will be appricaited. 

 

 

Regards

Nic

 

 

1 REPLY 1
Highlighted

Re: Cloudera Manager Kerberos Wizard Generated Active Directory accounts not working

New Contributor

Dont worry about this, I sorted the issue. 

The JCE wasnt installed porperly on all the nodes. After I re-ran that setup the services was able to start using the keytabs created by the wizard.