Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Error while Enabling Kerberos

Error while Enabling Kerberos

New Contributor

/usr/share/cmf/bin/import_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf7282863856941320449.keytab
+ USER=cm@HADOOPSECURITY.LOCAL
+ PASSWD=REDACTED
+ KVNO=1
+ SLEEP=0
+ RHEL_FILE=/etc/redhat-release
+ '[' -f /etc/redhat-release ']'
+ set +e
+ grep Tikanga /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'CentOS release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'Scientific Linux release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ set -e
+ '[' -z /etc/krb5.conf ']'
+ echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:'
+ cat /etc/krb5.conf
+ IFS=' '
+ read -a ENC_ARR
+ for ENC in '"${ENC_ARR[@]}"'
+ ktutil
+ echo 'addent -password -p cm@HADOOPSECURITY.LOCAL -k 1 -e rc4-hmac'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cm@HADOOPSECURITY.LOCAL -k 1 -e aes128-cts-hmac-sha1-96'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cm@HADOOPSECURITY.LOCAL -k 1 -e aes256-cts-hmac-sha1-96'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cm@HADOOPSECURITY.LOCAL -k 1 -e arcfour-hmac-md5'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ echo 'wkt /var/run/cloudera-scm-server/cmf7282863856941320449.keytab'
+ chmod 600 /var/run/cloudera-scm-server/cmf7282863856941320449.keytab
+ kinit -k -t /var/run/cloudera-scm-server/cmf7282863856941320449.keytab cm@HADOOPSECURITY.LOCAL
+ '[' true '!=' true ']'
++ mktemp /tmp/cm_ldap.XXXXXXXX
+ LDAP_CONF=/tmp/cm_ldap.0sQi4sKr
+ echo 'TLS_REQCERT never'
+ echo 'sasl_secprops minssf=0,maxssf=0'
+ export LDAPCONF=/tmp/cm_ldap.0sQi4sKr
+ LDAPCONF=/tmp/cm_ldap.0sQi4sKr
+ set +e
+ ldapsearch -LLL -H ldaps://hadoop-ad.hadoopsecurity.local:636 -b ou=hadoop-ad,DC=hadoopsecurity,DC=local userPrincipalName=cm@HADOOPSECURITY.LOCAL
SASL/GSSAPI authentication started
SASL username: cm@HADOOPSECURITY.LOCAL
SASL SSF: 0
No such object (32)
Matched DN: DC=hadoopsecurity,DC=local
Additional information: 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=hadoopsecurity,DC=local'

+ '[' 32 -ne 0 ']'
+ echo 'ldapsearch did not work with SASL authentication. Trying with simple authentication'
+ ldapsearch -LLL -H ldaps://hadoop-ad.hadoopsecurity.local:636 -b ou=hadoop-ad,DC=hadoopsecurity,DC=local -x -D cm@HADOOPSECURITY.LOCAL -w REDACTED userPrincipalName=cm@HADOOPSECURITY.LOCAL
No such object (32)
Matched DN: DC=hadoopsecurity,DC=local
Additional information: 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=hadoopsecurity,DC=local'

+ '[' 32 -ne 0 ']'
+ echo 'Failed to do ldapsearch.'
+ echo 'Please make sure Active Directory configuration is correctly specified and LDAP over SSL is enabled.'
+ exit 1

>>

3 REPLIES 3
Highlighted

Re: Error while Enabling Kerberos

Master Collaborator

@Shri23 Error 32 usually means, the referenced object does not exist. I.e. You entered a bad DN value for something that needed a correct DN value.

 

Please look at your AD and confirm that the user exist in the path:

ou=hadoop-ad,DC=hadoopsecurity,DC=local userPrincipalName=cm@HADOOPSECURITY.LOCAL

Also as a side note the service account should have create, modify and delete access in AD as well. 


Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Highlighted

Re: Error while Enabling Kerberos

New Contributor

Hi...!!

Thanks, but user exist in the path and also given all the access.

Highlighted

Re: Error while Enabling Kerberos

Master Collaborator

@Shri23 can you please show the acess of this svc account?


Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Don't have an account?
Coming from Hortonworks? Activate your account here