Support Questions

HDFS · ‎11-11-2014

Hi,

I was enabling kerberos from cloudera manager.

Everything worked fine but when it tried to do the step of "generating Credentials" it gave me an error.

Please find the error.

Any suggestions?

Waiting for the reply

/usr/share/cmf/bin/gen_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin
+ CMF_REALM=JNJ.COM
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf7829892990940630057.keytab
+ PRINC=impala/itsusmpl00509.jnj.com@JNJ.COM
+ MAX_RENEW_LIFE=432000
+ KADMIN='kadmin -k -t /var/run/cloudera-scm-server/cmf4619059661181081787.keytab -p cloudera-scm/admin@JNJ.COM -r JNJ.COM'
+ RENEW_ARG=
+ '[' 432000 -gt 0 ']'
+ RENEW_ARG='-maxrenewlife "432000 sec"'
+ kadmin -k -t /var/run/cloudera-scm-server/cmf4619059661181081787.keytab -p cloudera-scm/admin@JNJ.COM -r JNJ.COM -q 'addprinc -maxrenewlife "432000 sec" -randkey impala/itsusmpl00509.jnj.com@JNJ.COM'
WARNING: no policy specified for impala/itsusmpl00509.jnj.com@JNJ.COM; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "impala/itsusmpl00509.jnj.com@JNJ.COM".
+ '[' 432000 -gt 0 ']'
++ kadmin -k -t /var/run/cloudera-scm-server/cmf4619059661181081787.keytab -p cloudera-scm/admin@JNJ.COM -r JNJ.COM -q 'getprinc -terse impala/itsusmpl00509.jnj.com@JNJ.COM'
++ tail -1
++ cut -f 12
get_principal: Operation requires ``get'' privilege while retrieving "impala/itsusmpl00509.jnj.com@JNJ.COM".
+ RENEW_LIFETIME='Authenticating as principal cloudera-scm/admin@JNJ.COM with keytab /var/run/cloudera-scm-server/cmf4619059661181081787.keytab.'
+ '[' Authenticating as principal cloudera-scm/admin@JNJ.COM with keytab /var/run/cloudera-scm-server/cmf4619059661181081787.keytab. -eq 0 ']'
/usr/share/cmf/bin/gen_credentials.sh: line 28: [: too many arguments
+ kadmin -k -t /var/run/cloudera-scm-server/cmf4619059661181081787.keytab -p cloudera-scm/admin@JNJ.COM -r JNJ.COM -q 'xst -k /var/run/cloudera-scm-server/cmf7829892990940630057.keytab impala/itsusmpl00509.jnj.com@JNJ.COM'
kadmin: Operation requires ``change-password'' privilege while changing impala/itsusmpl00509.jnj.com@JNJ.COM's key
+ chmod 600 /var/run/cloudera-scm-server/cmf7829892990940630057.keytab
chmod: cannot access `/var/run/cloudera-scm-server/cmf7829892990940630057.keytab': No such file or directory

Grizzly · ‎11-11-2014

You should not have to specifically add the CM principal, the */admin should handle it.

From what you pasted, I think you have a space missing between your COM and the "*" at the end of the first line; Mine looks like this:

[12:34 root@secsme-1 ~] > cat kadm5.acl
*/admin@COE.CLOUDERA.COM *

View solution in original post

Grizzly · ‎11-13-2014

Just FYI, it should have a space

http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/kadm5_acl.html

View solution in original post

Grizzly · ‎11-11-2014

What version of Cloudera Manager are you using in the example you provided?

HDFS · ‎11-11-2014

the latest 5.2 version of cloudera is used

Grizzly · ‎11-11-2014

What KDC is in use? What OS and Release Version is the KDC running on?

Grizzly · ‎11-11-2014

Also, what is in your KDC's kadm5.acl file?

HDFS · ‎11-11-2014

Its KDC 5 running on rhel 6.3

and my kadm5.acl file has

admin@JNJ.COM

Grizzly · ‎11-11-2014

so realize the reason there was a */admin@REALM in the kadm5.acl file before you changed it... that generic entry was in there so that any principal that has a name that ends with /admin is granted administrative rights over the KDC database.

Your cloudera manager principal is named cloudera-scm/admin@JNJ.COM, but your acl file restricts admin to ONLY a user named "admin@JNJ.COM"

From the script output you gave, none of the commands are working through kadmin becase the CM server user has no rights.

Either update the kadm5.acl file to include */admin@JNJ.COM, or explicitly set and entry for the CM server scm-server/admin@JNJ.COM. At that point you should be able to configure cluster principals through CM in the KDC.

Todd

HDFS · ‎11-11-2014

My kadm5.acl is like this :-

*/admin@JNJ.COM*
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
"/var/kerberos/krb5kdc/kadm5.acl" 1L, 18C

So you are suggesting is to add cloudera-scm/admin@JNJ.COM too right?

Grizzly · ‎11-11-2014

You should not have to specifically add the CM principal, the */admin should handle it.

From what you pasted, I think you have a space missing between your COM and the "*" at the end of the first line; Mine looks like this:

[12:34 root@secsme-1 ~] > cat kadm5.acl
*/admin@COE.CLOUDERA.COM *

HDFS · ‎11-13-2014

I was able to reolve it.

The space should not be there between COM and * in kadm5.acl

Thanks !! 🙂

Cloudera Community

Support Questions

Kerberos:Error occured in generating credentials

Kerberos Generate Credentials fails

Error with Generate Missing Credentials CDP

Datagen - Data Generator tool built for CDP

"kinit: Preauthentication failed while getting ini...

Adding KDC Administrator Credentials to the Ambari...

Generate missing credetials - KDC

Kerberos Authentication Wizard failing to generate...

[CDH 5.8 Kerberos] Generate Missing Credentials Er...

Getting error when trying to Generate Missing Cred...

MergeRecord generates multiple files