Support Questions

balusu · ‎07-09-2018

Hi,

I am trying to enable Kerberos for the newly built cluster, The user has full control over the OU and I also tested adding a user using ldapadd but cloudera manager throws INSUFF_ACCESS_RIGHTS for the same user:

2018-07-09 16:00:16,785 ERROR CommandPusher:com.cloudera.cmf.command.CommandHelpers: GenerateCredentials - Execution error:
java.io.IOException: /usr/share/cmf/bin/gen_credentials_ad.sh failed with exit code 50 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf1473504603598890242.keytab
+ PRINC=hue/hostname.example.com@EXAMPLE.COM
+ USER=user_LFecFhBoWF
+ PASSWD=REDACTED
+ DELETE_ON_REGENERATE=true
+ SET_ENCRYPTION_TYPES=true
+ ENC_TYPES_MASK=28
+ USERACCOUNTCONTROL=66048
+ ACCOUNTEXPIRES=0
+ OBJECTCLASSES='objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
'
+ DIST_NAME='CN=prod_LFecFhBoWF,OU=username,OU=example Enterprise,DC=example,DC=com'
+ '[' -z /etc/krb5.conf ']'
+ echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:'
+ cat /etc/krb5.conf
+ SIMPLE_PWD_STR=
+ '[' 'REDACTED' = '' ']'
+ SIMPLE_PWD_STR='-x -D user@EXAMPLE>COM -w REDACTED'
++ mktemp /tmp/cm_ldap.XXXXXXXX
+ LDAP_CONF=/tmp/cm_ldap.9d2I7GO6
+ echo 'TLS_REQCERT never'
+ echo 'sasl_secprops minssf=0,maxssf=0'
+ export LDAPCONF=/tmp/cm_ldap.9d2I7GO6
+ LDAPCONF=/tmp/cm_ldap.9d2I7GO6
++ ldapsearch -LLL -H ldap://ldaphost.example.com -b 'OU=username,OU=Servers,OU=example Enterprise,DC=example,DC=com' -x -D user@EXAMPLE>COM -w 'REDACTED' userPrincipalName=hue/hostname.example.com@EXAMPLE.COM
+ PRINC_SEARCH=
++ echo ''
++ sed -n '1 {h; $ !d}; $ {x; s/\n //g; p}; /^ / {H; d}; /^ /! {x; s/\n //g; p}'
+ RESULTS_UNWRAPPED=
+ echo $'\342\200\234\342\200\235'
+ set +e
+ echo
+ grep -q userPrincipalName
+ '[' 1 -eq 0 ']'
+ set -e
+ '[' true = true ']'
+ ldapmodify -H ldap://ldaphost.example.com -x -D user@EXAMPLE>COM -w 'REDACTED'
++ echo 'objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
'
++ sed /str/d
++ echo hue/hostname.example.com@EXAMPLE.COM
++ sed -e 's/\@EXAMPLE.COM//g'
++ echo -n '"REDACTED"'
++ iconv -f UTF8 -t UTF16LE
++ base64 -w 0
ldap_add: Insufficient access (50)
additional info: 00000005: SecErr: DSID-031A11CC, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

>>

As soon as I hit Import KDC Account Manager Credentials, I also see the follwing message in /var/log/messages
Jul 9 17:17:39 hostname ldapsearch: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)

In need of serious help. Thanks in advance!

bgooley · ‎07-12-2018

@balusu

A couple things:

(1)

Your 'kinit' test shows that your krb5.conf is not configured for hadoop.

you have the default linux krb5.conf there.

Edit it and comment out the line starting with default_ccache_name

Java does not support keyring credentials cache at this time, so Java processes will not have access to it and will fail if MIT kinit was used to create credentials.

(2)

"ICMP Port Unreachable" is a clear indicator that there the server side cannot access the port being requested. In thsi case, it should be port 88. Make sure your host's /etc/krb5.conf is configured with the realm in the [realms] section correctly. Your realm should have at least one "kdc" like like:

kdc = myadkdc.example.com:88

If that is configured, try running a telnet to that port like:

# telnet myadkdc.example.com 88

Maybe use wireshark or tcpdump too to debug what is going on...

balusu · ‎07-12-2018

@bgooley

Fantastic!...Both of the changes did the magic 🙂 Kudos!!!

Cloudera Community

Support Questions

Error while enabling kerberos