Support Questions

sandy05 · ‎03-25-2018

Hi,

I am trying to enable kerberos for my cloudera cluster. I have setup the keberos configuration file on the server and added principal for cloudera-scm but when importing the account manager credentials, I am getting following error. I tried to find solutions from already posted solutions, but all looks fine and still getting error.

Can anyone help.

Here are my configurations and versions of Cloudera

CDH 5.12.2

Java Version: 1.7.0_75

priclusedge.a.15192.internal

 cat /etc/krb5.conf


[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = PRICLUSTER.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 udp_preference_limit = 1000000
 default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
 default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
 permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1

[realms]
 PRICLUSTER.COM = {
  kdc = priclusedge.a.15192.internal:88
  admin_server = priclusedge.a.15192.internal:749
  default_domain = pricluster.com
 }

[domain_realm]
  .pricluster.com = PRICLUSTER.COM
  pricluster.com = PRICLUSTER.COM

 cat kdc.conf



[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
 v4_mode = nopreauth

[realms]
 PRICLUSTER.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  key_stash_file = /var/kerberos/krb5kdc/stash
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  database_name = /var/kerberos/krb5kdc/principal
  max_life = 1d
  max_renewable_life = 7d
  master_key_type = des3-hmac-sha1
  default_principal_flags = +preauth
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal des-hmac-sha1:normal des-cbc-crc:normal
 }

default_realm = PRICLUSTER.COM

[root@priclusedge krb5kdc]# kadmin.local

Authenticating as principal root/admin@PRICLUSTER.COM with password.
kadmin.local:  get_principals
K/M@PRICLUSTER.COM
cloudera-scm/admin@PRICLUSTER.COM
kadmin/admin@PRICLUSTER.COM
kadmin/changepw@PRICLUSTER.COM
kadmin/priclusedge.a.15192.internal@PRICLUSTER.COM
krbtgt/PRICLUSTER.COM@PRICLUSTER.COM

[root@priclusedge krb5kdc]# service krb5kdc status
krb5kdc (pid  6096) is running...
[root@priclusedge krb5kdc]# service kadmin status
kadmind (pid  6129) is running...

Error Message while importing accout manager credentials

/usr/share/cmf/bin/import_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf8091152271730902012.keytab
+ USER=cloudera-scm/REDACTED@PRICLUSTER.COM
+ PASSWD=REDACTED
+ KVNO=1
+ SLEEP=0
+ RHEL_FILE=/etc/redhat-release
+ '[' -f /etc/redhat-release ']'
+ set +e
+ grep Tikanga /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'CentOS release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'Scientific Linux release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ set -e
+ '[' -z /etc/krb5.conf ']'
+ echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:'
+ cat /etc/krb5.conf
+ IFS=' '
+ read -a ENC_ARR
+ ktutil
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e aes256-cts:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e aes128-cts:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des3-hmac-sha1:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des-hmac-sha1:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des-cbc-crc:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ echo 'wkt /var/run/cloudera-scm-server/cmf8091152271730902012.keytab'
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
+ chmod 600 /var/run/cloudera-scm-server/cmf8091152271730902012.keytab
chmod: cannot access `/var/run/cloudera-scm-server/cmf8091152271730902012.keytab': No such file or directory

>>

michalis · ‎04-06-2018

Hi Sandy,

+ ktutil
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e aes256-cts:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e aes128-cts:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des3-hmac-sha1:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des-hmac-sha1:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des-cbc-crc:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ echo 'wkt /var/run/cloudera-scm-server/cmf8091152271730902012.keytab'
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
+ chmod 600 /var/run/cloudera-scm-server/cmf8091152271730902012.keytab
chmod: cannot access `/var/run/cloudera-scm-server/cmf8091152271730902012.keytab': No such file or directory

Base on the above information, I've noticed that you have set the encryption in

CM UI> Administration> Setting> Kerberos> "Kerberos Encryption Types" as

- aes256-cts:normal

- aes128-cts:normal

- des3-hmac-sha1:normal

- des-hmac-sha1:normal

- des-cbc-crc:normal

The error I see is that while ktutil executed the command addent it failed with "Bad encryption type while adding new entry"

Therefore, ktutil failed to set -e encryption_type for all 5 encryption types you've specified, so there was nothing to be written into a keytab (wkt keytab) see: 'wkt /var/run/cloudera-scm-server/cmf8091152271730902012.keytab'

The encryption type combination you've specified is valid for kadmin/kadmin.local tool where the -e parameter can be specified as encryption:salt, but it is not valid for ktutil -e encryption_type

Since CM script is using ktutil you may need to remove the salt suffixed ':normal'.

The salt :normal is default for Kerberos Version 5, you only need to set the encryption type [0] in

CM UI> Administration> Setting> Kerberos> "Kerberos Encryption Types"

Encryption Type

- aes256-cts

- aes128-cts

- des3-hmac-sha1

- des-hmac-sha1

- des-cbc-crc

Let me know if this helps,

Michalis

[0] https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/kdc_conf.html#encryption-types

Note: A feature request OPSAPS-29768 is in progress to not allow manual entry in "Kerberos Encryption Types"

View solution in original post

michalis · ‎04-06-2018