Support Questions

Find answers, ask questions, and share your expertise

Issue during kerberos deployment

New Contributor

I tried to integrate kerberoes into my existing cloudera test environment and stumple upon some errors. 


CDH 5.12.1 is in use.


My problem occurs during kudu startup and I am pretty sure its somehow related to the FQDN. I get the following error during start:

Bad status: Runtime error: unable to kinit: unable to login from keytab: Keytab contains no suitable keys for kudu/[hostname.DOMAIN.XX]@[AD-Domain]

 For that reason I checked the keytab file and see the following:


# klist -kte /run/cloudera-scm-agent/process/2121-kudu-KUDU_MASTER/kudu.keytab
Keytab name: FILE:/run/cloudera-scm-agent/process/2121-kudu-KUDU_MASTER/kudu.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 10/13/2017 08:57:10 kudu/[hostname]@[AD-Domain] (arcfour-hmac)



I guess the issue comes from different principal names. I have "kudu/[hostname]@[AD-Domain]" in the keytab while the service searches for "kudu/[hostname.DOMAIN.XX]@[AD-Domain]" during startup.


Unfortunately I have no idea on how to fix this issue. Maybe someone of you can give me a hint?


Thank you for your support!



Kerberos service principals have three parts, the service name, the hostname, and the domain name. The hostname must be in the formation of fully qualified domain name. That is why the service is looking for it in that format while the keytab does not contain an entry for that principal. Recreate the keytab file with the principal in the correct format and you should be good.