Support Questions

Find answers, ask questions, and share your expertise

Enabling Keberos for cluster fails when importing KDC account manager

avatar
Contributor

Hi,

I am trying to enable kerberos for my cloudera cluster. I have setup the keberos configuration file on the server and added principal for cloudera-scm but when importing the account manager credentials, I am getting following error. I tried to find solutions from already posted solutions, but all looks fine and still getting error.

 

Can anyone help.  

 

Here are my configurations and versions of Cloudera

 

 

CDH 5.12.2

Java Version: 1.7.0_75

 

priclusedge.a.15192.internal

 

 cat /etc/krb5.conf


[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = PRICLUSTER.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 udp_preference_limit = 1000000
 default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
 default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
 permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1

[realms]
 PRICLUSTER.COM = {
  kdc = priclusedge.a.15192.internal:88
  admin_server = priclusedge.a.15192.internal:749
  default_domain = pricluster.com
 }

[domain_realm]
  .pricluster.com = PRICLUSTER.COM
  pricluster.com = PRICLUSTER.COM

 

 cat kdc.conf



[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
 v4_mode = nopreauth

[realms]
 PRICLUSTER.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  key_stash_file = /var/kerberos/krb5kdc/stash
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  database_name = /var/kerberos/krb5kdc/principal
  max_life = 1d
  max_renewable_life = 7d
  master_key_type = des3-hmac-sha1
  default_principal_flags = +preauth
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal des-hmac-sha1:normal des-cbc-crc:normal
 }

default_realm = PRICLUSTER.COM

 

 

[root@priclusedge krb5kdc]# kadmin.local

Authenticating as principal root/admin@PRICLUSTER.COM with password.
kadmin.local:  get_principals
K/M@PRICLUSTER.COM
cloudera-scm/admin@PRICLUSTER.COM
kadmin/admin@PRICLUSTER.COM
kadmin/changepw@PRICLUSTER.COM
kadmin/priclusedge.a.15192.internal@PRICLUSTER.COM
krbtgt/PRICLUSTER.COM@PRICLUSTER.COM

 

[root@priclusedge krb5kdc]# service krb5kdc status
krb5kdc (pid  6096) is running...
[root@priclusedge krb5kdc]# service kadmin status
kadmind (pid  6129) is running...

 

Error Message while importing accout manager credentials

 

/usr/share/cmf/bin/import_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf8091152271730902012.keytab
+ USER=cloudera-scm/REDACTED@PRICLUSTER.COM
+ PASSWD=REDACTED
+ KVNO=1
+ SLEEP=0
+ RHEL_FILE=/etc/redhat-release
+ '[' -f /etc/redhat-release ']'
+ set +e
+ grep Tikanga /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'CentOS release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'Scientific Linux release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ set -e
+ '[' -z /etc/krb5.conf ']'
+ echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:'
+ cat /etc/krb5.conf
+ IFS=' '
+ read -a ENC_ARR
+ ktutil
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e aes256-cts:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e aes128-cts:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des3-hmac-sha1:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des-hmac-sha1:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des-cbc-crc:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ echo 'wkt /var/run/cloudera-scm-server/cmf8091152271730902012.keytab'
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
+ chmod 600 /var/run/cloudera-scm-server/cmf8091152271730902012.keytab
chmod: cannot access `/var/run/cloudera-scm-server/cmf8091152271730902012.keytab': No such file or directory

>>
1 ACCEPTED SOLUTION

avatar
Master Collaborator

Hi Sandy,

 

 

 

+ ktutil
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e aes256-cts:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e aes128-cts:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des3-hmac-sha1:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des-hmac-sha1:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des-cbc-crc:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ echo 'wkt /var/run/cloudera-scm-server/cmf8091152271730902012.keytab'
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
+ chmod 600 /var/run/cloudera-scm-server/cmf8091152271730902012.keytab
chmod: cannot access `/var/run/cloudera-scm-server/cmf8091152271730902012.keytab': No such file or directory

 

Base on the above information, I've noticed that you have set the encryption in 

CM UI> Administration> Setting> Kerberos> "Kerberos Encryption Types" as 

- aes256-cts:normal

- aes128-cts:normal

- des3-hmac-sha1:normal

- des-hmac-sha1:normal

- des-cbc-crc:normal

 

The error I see is that while ktutil executed the command addent it failed with "Bad encryption type while adding new entry"

 

Therefore, ktutil failed to set -e encryption_type for all 5 encryption types you've specified, so there was nothing to be written into a keytab (wkt keytab) see: 'wkt /var/run/cloudera-scm-server/cmf8091152271730902012.keytab'

 

 

 

The encryption type combination you've specified is valid for kadmin/kadmin.local tool where the -e parameter can be specified as encryption:salt, but it is not valid for ktutil -e encryption_type

 

Since CM script is using ktutil you may need to remove the salt suffixed ':normal'.

The salt :normal is default for Kerberos Version 5, you only need to set the encryption type [0] in 

CM UI> Administration> Setting> Kerberos> "Kerberos Encryption Types"

 

Encryption Type

- aes256-cts

- aes128-cts

- des3-hmac-sha1

- des-hmac-sha1

- des-cbc-crc

 

Let me know if this helps,

 

Michalis

 

[0] https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/kdc_conf.html#encryption-types

Note: A feature request OPSAPS-29768 is in progress to not allow manual entry in "Kerberos Encryption Types"

View solution in original post

11 REPLIES 11

avatar
Master Collaborator

Hi Sandy,

 

 

 

+ ktutil
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e aes256-cts:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e aes128-cts:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des3-hmac-sha1:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des-hmac-sha1:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des-cbc-crc:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ echo 'wkt /var/run/cloudera-scm-server/cmf8091152271730902012.keytab'
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
+ chmod 600 /var/run/cloudera-scm-server/cmf8091152271730902012.keytab
chmod: cannot access `/var/run/cloudera-scm-server/cmf8091152271730902012.keytab': No such file or directory

 

Base on the above information, I've noticed that you have set the encryption in 

CM UI> Administration> Setting> Kerberos> "Kerberos Encryption Types" as 

- aes256-cts:normal

- aes128-cts:normal

- des3-hmac-sha1:normal

- des-hmac-sha1:normal

- des-cbc-crc:normal

 

The error I see is that while ktutil executed the command addent it failed with "Bad encryption type while adding new entry"

 

Therefore, ktutil failed to set -e encryption_type for all 5 encryption types you've specified, so there was nothing to be written into a keytab (wkt keytab) see: 'wkt /var/run/cloudera-scm-server/cmf8091152271730902012.keytab'

 

 

 

The encryption type combination you've specified is valid for kadmin/kadmin.local tool where the -e parameter can be specified as encryption:salt, but it is not valid for ktutil -e encryption_type

 

Since CM script is using ktutil you may need to remove the salt suffixed ':normal'.

The salt :normal is default for Kerberos Version 5, you only need to set the encryption type [0] in 

CM UI> Administration> Setting> Kerberos> "Kerberos Encryption Types"

 

Encryption Type

- aes256-cts

- aes128-cts

- des3-hmac-sha1

- des-hmac-sha1

- des-cbc-crc

 

Let me know if this helps,

 

Michalis

 

[0] https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/kdc_conf.html#encryption-types

Note: A feature request OPSAPS-29768 is in progress to not allow manual entry in "Kerberos Encryption Types"

avatar
Contributor

@michalis

I removed the salt :normal while enabling kerberos using cloudera manager and it imported the kdc successfully..  

 

Thanks @bgooley and @michalis  for the support and helping me to solve this tricky one.