Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Import KDC Account Manager Credentials Command failed

Solved Go to solution
Highlighted

Import KDC Account Manager Credentials Command failed

Explorer

I'm attempting to install CDH 5.9 and enable Kerberos but am getting the following error when going through the Kerberos wizard.

 

/usr/share/cmf/bin/import_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf4852346331449807753.keytab
+ USER=cloudera-scm/admin@TD.MYDOM.COM
+ PASSWD=REDACTED
+ KVNO=1
+ SLEEP=0
+ RHEL_FILE=/etc/redhat-release
+ '[' -f /etc/redhat-release ']'
+ set +e
+ grep Tikanga /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'CentOS release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'Scientific Linux release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ set -e
+ '[' -z /etc/krb5.conf ']'
+ echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:'
+ cat /etc/krb5.conf
+ IFS=' '
+ read -a ENC_ARR
+ for ENC in '"${ENC_ARR[@]}"'
+ ktutil
+ echo 'addent -REDACTED -p cloudera-scm/admin@TD.MYDOM.COM -k 1 -e rc4-hmac'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ echo 'wkt /var/run/cloudera-scm-server/cmf4852346331449807753.keytab'
+ chmod 600 /var/run/cloudera-scm-server/cmf4852346331449807753.keytab
+ kinit -k -t /var/run/cloudera-scm-server/cmf4852346331449807753.keytab cloudera-scm/admin@TD.MYDOM.COM
kinit: Generic preauthentication failure while getting initial credentials

>>

The principal cloudera-scm/admin@TD.MYDOM.COM works fine when I do this on the CM Host.

 

$ kinit cloudera-scm/admin@TD.MYDOM.COM
Password for cloudera-scm/admin@TD.MYDOM.COM:

$ klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: cloudera-scm/admin@TD.MYDOM.COM

Valid starting     Expires            Service principal
12/14/16 09:30:07  12/14/16 09:40:07  krbtgt/TD.MYDOM.COM@TD.MYDOM.COM
	renew until 12/21/16 09:30:05, Etype (skey, tkt): des3-cbc-sha1, des3-cbc-sha1
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Import KDC Account Manager Credentials Command failed

Explorer

I worked around this by using this enctype in the wizard.

 

default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac

 

 

Curiously I had rc4-hmac in my /etc/krb5.conf and also on the KDC server but for whatever reason it didn't seem to be working. Switching to the above encryption type solved my issue with the wizard.

View solution in original post

1 REPLY 1
Highlighted

Re: Import KDC Account Manager Credentials Command failed

Explorer

I worked around this by using this enctype in the wizard.

 

default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac
default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac

 

 

Curiously I had rc4-hmac in my /etc/krb5.conf and also on the KDC server but for whatever reason it didn't seem to be working. Switching to the above encryption type solved my issue with the wizard.

View solution in original post

Don't have an account?
Coming from Hortonworks? Activate your account here