Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Now Live: Explore expert insights and technical deep dives on the new Cloudera Community BlogsRead the Announcement

Execution of '/usr/bin/kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-uktehdpprod@EUROPE.ODCORP.NET' returned 1. kinit: Clients credentials have been revoked while getting initial credentials

Labels:
avatar
author-rank Rarjun
Rising Star

Created on ‎10-04-2017 05:14 PM - edited ‎09-16-2022 05:21 AM

 
11,135 Views
0 Kudos
2 REPLIES 2

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎10-04-2017 05:26 PM

@arjun more

Usually this indicates that the Account might be locked from the Active Directory (or MIT KDC Side).

Please check from the AD (KDC) side if there is any issue.

Example for unlocking the principal from MIT KDC side:

A principal which has been locked out can be administratively unlocked with the-unlockoption to themodprinckadmin command:

kadmin: modprinc -unlock $PRINCNAME

.

https://web.mit.edu/kerberos/krb5-1.13/doc/admin/lockout.html

8,783 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎10-04-2017 05:56 PM

@arjun more

If you have KDC and AD integrated, this simply means the account to which the keytab is related has been disabled, locked, expired, or deleted.

The AD service account should NEVER expire.

If not could you validate the below steps

Make sure the [realms] and [domain_realms] entries in cat /etc/krb5.conf is correct.

Validate the contents of these 2 files /var/kerberos/krb5kdc/kdc.conf , /var/kerberos/krb5kdc/kadm5.acl

Check the hdfs prinncipal

# kadmin.local 
Authenticating as principal hdfs-uktehdpprod/admin@EUROPE.ODCORP.NET with password. 
kadmin.local: listprincs hdfs* 
hdfs-uktehdpprod@EUROPE.ODCORP.NET 
kadmin.local:

Get the correct prncipal for hdfs 

# klist -kt /etc/security/keytabs/hdfs.headless.keytab 
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab 
KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 
1 08/24/2017 15:42:23 hdfs-uktehdpprod@EUROPE.ODCORP.NET 
1 08/24/2017 15:42:23 hdfs-uktehdpprod@EUROPE.ODCORP.NET 
1 08/24/2017 15:42:23 hdfs-uktehdpprod@EUROPE.ODCORP.NET

Try grabbing a valid Kerberos ticket 

# kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-uktehdpprod@EUROPE.ODCORP.NET

Validate the avalability period 

# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: hdfs-uktehdpprod@EUROPE.ODCORP.NET 
Valid       starting      Expires              Service principal 
10/04/2017  19:36:12      10/05/2017 19:36:12 krbtgt/EUROPE.ODCORP.NET@EUROPE.ODCORP.NET

Please revert

8,783 Views
0 Kudos
Announcements
Community Announcements
Announcing the Launch of Cloudera Community Blogs
Community Announcements
October / November 2025 Community Highlights
What's New @ Cloudera
Announcing Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
Announcing Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
Welcome to the Cloudera Community!
View More Announcements