Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Error while Enabling Kerberos

avatar
New Contributor

/usr/share/cmf/bin/import_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf7282863856941320449.keytab
+ USER=cm@HADOOPSECURITY.LOCAL
+ PASSWD=REDACTED
+ KVNO=1
+ SLEEP=0
+ RHEL_FILE=/etc/redhat-release
+ '[' -f /etc/redhat-release ']'
+ set +e
+ grep Tikanga /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'CentOS release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'Scientific Linux release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ set -e
+ '[' -z /etc/krb5.conf ']'
+ echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:'
+ cat /etc/krb5.conf
+ IFS=' '
+ read -a ENC_ARR
+ for ENC in '"${ENC_ARR[@]}"'
+ ktutil
+ echo 'addent -password -p cm@HADOOPSECURITY.LOCAL -k 1 -e rc4-hmac'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cm@HADOOPSECURITY.LOCAL -k 1 -e aes128-cts-hmac-sha1-96'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cm@HADOOPSECURITY.LOCAL -k 1 -e aes256-cts-hmac-sha1-96'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p cm@HADOOPSECURITY.LOCAL -k 1 -e arcfour-hmac-md5'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ echo 'wkt /var/run/cloudera-scm-server/cmf7282863856941320449.keytab'
+ chmod 600 /var/run/cloudera-scm-server/cmf7282863856941320449.keytab
+ kinit -k -t /var/run/cloudera-scm-server/cmf7282863856941320449.keytab cm@HADOOPSECURITY.LOCAL
+ '[' true '!=' true ']'
++ mktemp /tmp/cm_ldap.XXXXXXXX
+ LDAP_CONF=/tmp/cm_ldap.0sQi4sKr
+ echo 'TLS_REQCERT never'
+ echo 'sasl_secprops minssf=0,maxssf=0'
+ export LDAPCONF=/tmp/cm_ldap.0sQi4sKr
+ LDAPCONF=/tmp/cm_ldap.0sQi4sKr
+ set +e
+ ldapsearch -LLL -H ldaps://hadoop-ad.hadoopsecurity.local:636 -b ou=hadoop-ad,DC=hadoopsecurity,DC=local userPrincipalName=cm@HADOOPSECURITY.LOCAL
SASL/GSSAPI authentication started
SASL username: cm@HADOOPSECURITY.LOCAL
SASL SSF: 0
No such object (32)
Matched DN: DC=hadoopsecurity,DC=local
Additional information: 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=hadoopsecurity,DC=local'

+ '[' 32 -ne 0 ']'
+ echo 'ldapsearch did not work with SASL authentication. Trying with simple authentication'
+ ldapsearch -LLL -H ldaps://hadoop-ad.hadoopsecurity.local:636 -b ou=hadoop-ad,DC=hadoopsecurity,DC=local -x -D cm@HADOOPSECURITY.LOCAL -w REDACTED userPrincipalName=cm@HADOOPSECURITY.LOCAL
No such object (32)
Matched DN: DC=hadoopsecurity,DC=local
Additional information: 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
'DC=hadoopsecurity,DC=local'

+ '[' 32 -ne 0 ']'
+ echo 'Failed to do ldapsearch.'
+ echo 'Please make sure Active Directory configuration is correctly specified and LDAP over SSL is enabled.'
+ exit 1

>>

3 REPLIES 3

avatar
Master Guru

@Shri23 Error 32 usually means, the referenced object does not exist. I.e. You entered a bad DN value for something that needed a correct DN value.

 

Please look at your AD and confirm that the user exist in the path:

ou=hadoop-ad,DC=hadoopsecurity,DC=local userPrincipalName=cm@HADOOPSECURITY.LOCAL

Also as a side note the service account should have create, modify and delete access in AD as well. 


Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
New Contributor

Hi...!!

Thanks, but user exist in the path and also given all the access.

avatar
Master Guru

@Shri23 can you please show the acess of this svc account?


Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.