Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Execution of '/usr/bin/kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-uktehdpprod@EUROPE.ODCORP.NET' returned 1. kinit: Clients credentials have been revoked while getting initial credentials

Execution of '/usr/bin/kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-uktehdpprod@EUROPE.ODCORP.NET' returned 1. kinit: Clients credentials have been revoked while getting initial credentials

Explorer
 
2 REPLIES 2
Highlighted

Re: Execution of '/usr/bin/kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-uktehdpprod@EUROPE.ODCORP.NET' returned 1. kinit: Clients credentials have been revoked while getting initial credentials

Super Mentor

@arjun more

Usually this indicates that the Account might be locked from the Active Directory (or MIT KDC Side).

Please check from the AD (KDC) side if there is any issue.

Example for unlocking the principal from MIT KDC side:

A principal which has been locked out can be administratively unlocked with the-unlockoption to themodprinckadmin command:

kadmin: modprinc -unlock $PRINCNAME

.

https://web.mit.edu/kerberos/krb5-1.13/doc/admin/lockout.html

Highlighted

Re: Execution of '/usr/bin/kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-uktehdpprod@EUROPE.ODCORP.NET' returned 1. kinit: Clients credentials have been revoked while getting initial credentials

Mentor

@arjun more

If you have KDC and AD integrated, this simply means the account to which the keytab is related has been disabled, locked, expired, or deleted.

The AD service account should NEVER expire.

If not could you validate the below steps

Make sure the [realms] and [domain_realms] entries in cat /etc/krb5.conf is correct.

Validate the contents of these 2 files /var/kerberos/krb5kdc/kdc.conf , /var/kerberos/krb5kdc/kadm5.acl

Check the hdfs prinncipal

# kadmin.local 
Authenticating as principal hdfs-uktehdpprod/admin@EUROPE.ODCORP.NET with password. 
kadmin.local: listprincs hdfs* 
hdfs-uktehdpprod@EUROPE.ODCORP.NET 
kadmin.local: 

Get the correct prncipal for hdfs

# klist -kt /etc/security/keytabs/hdfs.headless.keytab 
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab 
KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 
1 08/24/2017 15:42:23 hdfs-uktehdpprod@EUROPE.ODCORP.NET 
1 08/24/2017 15:42:23 hdfs-uktehdpprod@EUROPE.ODCORP.NET 
1 08/24/2017 15:42:23 hdfs-uktehdpprod@EUROPE.ODCORP.NET 

Try grabbing a valid Kerberos ticket

# kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-uktehdpprod@EUROPE.ODCORP.NET 

Validate the avalability period

# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: hdfs-uktehdpprod@EUROPE.ODCORP.NET 
Valid       starting      Expires              Service principal 
10/04/2017  19:36:12      10/05/2017 19:36:12 krbtgt/EUROPE.ODCORP.NET@EUROPE.ODCORP.NET

Please revert

Don't have an account?
Coming from Hortonworks? Activate your account here