Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Import KDC Account Manager Credentials Command failed

avatar
Explorer

I'm attempting to install CDH 5.9 and enable Kerberos but am getting the following error when going through the Kerberos wizard.

 

/usr/share/cmf/bin/import_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf4852346331449807753.keytab
+ USER=cloudera-scm/admin@TD.MYDOM.COM
+ PASSWD=REDACTED
+ KVNO=1
+ SLEEP=0
+ RHEL_FILE=/etc/redhat-release
+ '[' -f /etc/redhat-release ']'
+ set +e
+ grep Tikanga /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'CentOS release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'Scientific Linux release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ set -e
+ '[' -z /etc/krb5.conf ']'
+ echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:'
+ cat /etc/krb5.conf
+ IFS=' '
+ read -a ENC_ARR
+ for ENC in '"${ENC_ARR[@]}"'
+ ktutil
+ echo 'addent -REDACTED -p cloudera-scm/admin@TD.MYDOM.COM -k 1 -e rc4-hmac'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ echo 'wkt /var/run/cloudera-scm-server/cmf4852346331449807753.keytab'
+ chmod 600 /var/run/cloudera-scm-server/cmf4852346331449807753.keytab
+ kinit -k -t /var/run/cloudera-scm-server/cmf4852346331449807753.keytab cloudera-scm/admin@TD.MYDOM.COM
kinit: Generic preauthentication failure while getting initial credentials

>>

The principal cloudera-scm/admin@TD.MYDOM.COM works fine when I do this on the CM Host.

 

$ kinit cloudera-scm/admin@TD.MYDOM.COM
Password for cloudera-scm/admin@TD.MYDOM.COM:

$ klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: cloudera-scm/admin@TD.MYDOM.COM

Valid starting     Expires            Service principal
12/14/16 09:30:07  12/14/16 09:40:07  krbtgt/TD.MYDOM.COM@TD.MYDOM.COM
	renew until 12/21/16 09:30:05, Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1
1 ACCEPTED SOLUTION

avatar
Explorer

I worked around this by using this enctype in the wizard.

 

default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac

 

 

Curiously I had rc4-hmac in my /etc/krb5.conf and also on the KDC server but for whatever reason it didn't seem to be working. Switching to the above encryption type solved my issue with the wizard.

View solution in original post

1 REPLY 1

avatar
Explorer

I worked around this by using this enctype in the wizard.

 

default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac

 

 

Curiously I had rc4-hmac in my /etc/krb5.conf and also on the KDC server but for whatever reason it didn't seem to be working. Switching to the above encryption type solved my issue with the wizard.