Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Execution of '/usr/bin/kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-uktehdpprod@EUROPE.ODCORP.NET' returned 1. kinit: Clients credentials have been revoked while getting initial credentials

avatar
Rising Star
 
2 REPLIES 2

avatar
Master Mentor

@arjun more

Usually this indicates that the Account might be locked from the Active Directory (or MIT KDC Side).

Please check from the AD (KDC) side if there is any issue.

Example for unlocking the principal from MIT KDC side:

A principal which has been locked out can be administratively unlocked with the-unlockoption to themodprinckadmin command:

kadmin: modprinc -unlock $PRINCNAME

.

https://web.mit.edu/kerberos/krb5-1.13/doc/admin/lockout.html

avatar
Master Mentor

@arjun more

If you have KDC and AD integrated, this simply means the account to which the keytab is related has been disabled, locked, expired, or deleted.

The AD service account should NEVER expire.

If not could you validate the below steps

Make sure the [realms] and [domain_realms] entries in cat /etc/krb5.conf is correct.

Validate the contents of these 2 files /var/kerberos/krb5kdc/kdc.conf , /var/kerberos/krb5kdc/kadm5.acl

Check the hdfs prinncipal

# kadmin.local 
Authenticating as principal hdfs-uktehdpprod/admin@EUROPE.ODCORP.NET with password. 
kadmin.local: listprincs hdfs* 
hdfs-uktehdpprod@EUROPE.ODCORP.NET 
kadmin.local: 

Get the correct prncipal for hdfs

# klist -kt /etc/security/keytabs/hdfs.headless.keytab 
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab 
KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 
1 08/24/2017 15:42:23 hdfs-uktehdpprod@EUROPE.ODCORP.NET 
1 08/24/2017 15:42:23 hdfs-uktehdpprod@EUROPE.ODCORP.NET 
1 08/24/2017 15:42:23 hdfs-uktehdpprod@EUROPE.ODCORP.NET 

Try grabbing a valid Kerberos ticket

# kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-uktehdpprod@EUROPE.ODCORP.NET 

Validate the avalability period

# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: hdfs-uktehdpprod@EUROPE.ODCORP.NET 
Valid       starting      Expires              Service principal 
10/04/2017  19:36:12      10/05/2017 19:36:12 krbtgt/EUROPE.ODCORP.NET@EUROPE.ODCORP.NET

Please revert