Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Execution of '/usr/bin/kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-uktehdpprod@EUROPE.ODCORP.NET' returned 1. kinit: Clients credentials have been revoked while getting initial credentials

Labels:
avatar
author-rank Rarjun
Rising Star

Created on ‎10-04-2017 05:14 PM - edited ‎09-16-2022 05:21 AM

 
10,336 Views
0 Kudos
0
2 REPLIES 2

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎10-04-2017 05:26 PM

@arjun more

Usually this indicates that the Account might be locked from the Active Directory (or MIT KDC Side).

Please check from the AD (KDC) side if there is any issue.

Example for unlocking the principal from MIT KDC side:

A principal which has been locked out can be administratively unlocked with the-unlockoption to themodprinckadmin command:

kadmin: modprinc -unlock $PRINCNAME

.

https://web.mit.edu/kerberos/krb5-1.13/doc/admin/lockout.html

7,984 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎10-04-2017 05:56 PM

@arjun more

If you have KDC and AD integrated, this simply means the account to which the keytab is related has been disabled, locked, expired, or deleted.

The AD service account should NEVER expire.

If not could you validate the below steps

Make sure the [realms] and [domain_realms] entries in cat /etc/krb5.conf is correct.

Validate the contents of these 2 files /var/kerberos/krb5kdc/kdc.conf , /var/kerberos/krb5kdc/kadm5.acl

Check the hdfs prinncipal

# kadmin.local 
Authenticating as principal hdfs-uktehdpprod/admin@EUROPE.ODCORP.NET with password. 
kadmin.local: listprincs hdfs* 
hdfs-uktehdpprod@EUROPE.ODCORP.NET 
kadmin.local:

Get the correct prncipal for hdfs 

# klist -kt /etc/security/keytabs/hdfs.headless.keytab 
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab 
KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 
1 08/24/2017 15:42:23 hdfs-uktehdpprod@EUROPE.ODCORP.NET 
1 08/24/2017 15:42:23 hdfs-uktehdpprod@EUROPE.ODCORP.NET 
1 08/24/2017 15:42:23 hdfs-uktehdpprod@EUROPE.ODCORP.NET

Try grabbing a valid Kerberos ticket 

# kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-uktehdpprod@EUROPE.ODCORP.NET

Validate the avalability period 

# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: hdfs-uktehdpprod@EUROPE.ODCORP.NET 
Valid       starting      Expires              Service principal 
10/04/2017  19:36:12      10/05/2017 19:36:12 krbtgt/EUROPE.ODCORP.NET@EUROPE.ODCORP.NET

Please revert

7,984 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements