Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Execution of '/usr/bin/kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-uktehdpprod@EUROPE.ODCORP.NET' returned 1. kinit: Clients credentials have been revoked while getting initial credentials

Labels:
avatar
author-rank Rarjun
Rising Star

Created on ‎10-04-2017 05:14 PM - edited ‎09-16-2022 05:21 AM

 
9,891 Views
0 Kudos
2 REPLIES 2

avatar
author-rank jsensharma author-rank
Master Mentor

Created ‎10-04-2017 05:26 PM

@arjun more

Usually this indicates that the Account might be locked from the Active Directory (or MIT KDC Side).

Please check from the AD (KDC) side if there is any issue.

Example for unlocking the principal from MIT KDC side:

A principal which has been locked out can be administratively unlocked with the-unlockoption to themodprinckadmin command:

kadmin: modprinc -unlock $PRINCNAME

.

https://web.mit.edu/kerberos/krb5-1.13/doc/admin/lockout.html

7,539 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎10-04-2017 05:56 PM

@arjun more

If you have KDC and AD integrated, this simply means the account to which the keytab is related has been disabled, locked, expired, or deleted.

The AD service account should NEVER expire.

If not could you validate the below steps

Make sure the [realms] and [domain_realms] entries in cat /etc/krb5.conf is correct.

Validate the contents of these 2 files /var/kerberos/krb5kdc/kdc.conf , /var/kerberos/krb5kdc/kadm5.acl

Check the hdfs prinncipal

# kadmin.local 
Authenticating as principal hdfs-uktehdpprod/admin@EUROPE.ODCORP.NET with password. 
kadmin.local: listprincs hdfs* 
hdfs-uktehdpprod@EUROPE.ODCORP.NET 
kadmin.local:

Get the correct prncipal for hdfs 

# klist -kt /etc/security/keytabs/hdfs.headless.keytab 
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab 
KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 
1 08/24/2017 15:42:23 hdfs-uktehdpprod@EUROPE.ODCORP.NET 
1 08/24/2017 15:42:23 hdfs-uktehdpprod@EUROPE.ODCORP.NET 
1 08/24/2017 15:42:23 hdfs-uktehdpprod@EUROPE.ODCORP.NET

Try grabbing a valid Kerberos ticket 

# kinit -kt /etc/security/keytabs/hdfs.headless.keytab hdfs-uktehdpprod@EUROPE.ODCORP.NET

Validate the avalability period 

# klist 
Ticket cache: FILE:/tmp/krb5cc_0 
Default principal: hdfs-uktehdpprod@EUROPE.ODCORP.NET 
Valid       starting      Expires              Service principal 
10/04/2017  19:36:12      10/05/2017 19:36:12 krbtgt/EUROPE.ODCORP.NET@EUROPE.ODCORP.NET

Please revert

7,539 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements