Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Enabling Keberos for cluster fails when importing KDC account manager

SOLVED Go to solution

Re: Enabling Keberos for cluster fails when importing KDC account manager

Super Collaborator

Hi Sandy,

 

 

 

+ ktutil
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e aes256-cts:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e aes128-cts:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des3-hmac-sha1:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des-hmac-sha1:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cloudera-scm/REDACTED@PRICLUSTER.COM -k 1 -e des-cbc-crc:normal'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ echo 'wkt /var/run/cloudera-scm-server/cmf8091152271730902012.keytab'
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
addent: Bad encryption type while adding new entry
ktutil: Unknown request "REDACTED".  Type "?" for a request list.
+ chmod 600 /var/run/cloudera-scm-server/cmf8091152271730902012.keytab
chmod: cannot access `/var/run/cloudera-scm-server/cmf8091152271730902012.keytab': No such file or directory

 

Base on the above information, I've noticed that you have set the encryption in 

CM UI> Administration> Setting> Kerberos> "Kerberos Encryption Types" as 

- aes256-cts:normal

- aes128-cts:normal

- des3-hmac-sha1:normal

- des-hmac-sha1:normal

- des-cbc-crc:normal

 

The error I see is that while ktutil executed the command addent it failed with "Bad encryption type while adding new entry"

 

Therefore, ktutil failed to set -e encryption_type for all 5 encryption types you've specified, so there was nothing to be written into a keytab (wkt keytab) see: 'wkt /var/run/cloudera-scm-server/cmf8091152271730902012.keytab'

 

 

 

The encryption type combination you've specified is valid for kadmin/kadmin.local tool where the -e parameter can be specified as encryption:salt, but it is not valid for ktutil -e encryption_type

 

Since CM script is using ktutil you may need to remove the salt suffixed ':normal'.

The salt :normal is default for Kerberos Version 5, you only need to set the encryption type [0] in 

CM UI> Administration> Setting> Kerberos> "Kerberos Encryption Types"

 

Encryption Type

- aes256-cts

- aes128-cts

- des3-hmac-sha1

- des-hmac-sha1

- des-cbc-crc

 

Let me know if this helps,

 

Michalis

 

[0] https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/kdc_conf.html#encryption-types

Note: A feature request OPSAPS-29768 is in progress to not allow manual entry in "Kerberos Encryption Types"

Re: Enabling Keberos for cluster fails when importing KDC account manager

Explorer

@Michalis

I removed the salt :normal while enabling kerberos using cloudera manager and it imported the kdc successfully..  

 

Thanks @bgooley and @Michalis  for the support and helping me to solve this tricky one.