Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Kerberos Error while adding new impala service

avatar
author-rank srinikar87
New Contributor

Created ‎03-29-2021 06:00 AM

When tried add impala sevice, it recommended to generate missing credentials . when i ran generate missing principles getting below error

 

 

/usr/share/cmf/bin/gen_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ CMF_REALM=NOKIA.COM
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf1248375954852182588.keytab
+ PRINC=impala/e2e-02-cdlkc1.nokia.com@NOKIA.COM
+ MAX_RENEW_LIFE=432000
+ KADMIN='kadmin -k -t /var/run/cloudera-scm-server/cmf2325479638505058033.keytab -p root/admin@NOKIA.COM -r NOKIA.COM'
+ RENEW_ARG=
+ '[' 432000 -gt 0 ']'
+ RENEW_ARG='-maxrenewlife "432000 sec"'
+ '[' -z /etc/krb5.conf ']'
+ echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:'
+ cat /etc/krb5.conf
+ kadmin -k -t /var/run/cloudera-scm-server/cmf2325479638505058033.keytab -p root/admin@NOKIA.COM -r NOKIA.COM -q 'addprinc -maxrenewlife "432000 sec" -randkey impala/e2e-02-cdlkc1.nokia.com@NOKIA.COM'
kadmin: Preauthentication failed while initializing kadmin interface
1,016 Views
0 Kudos
0
1 REPLY 1

avatar
author-rank Sean464 author-rank
Expert Contributor

Created on ‎03-29-2021 09:47 PM - edited ‎03-29-2021 09:51 PM

Hello @srinikar87 

 

The error indicates that your KDC server requires clients to pre-authenticate themselves before it can issue a Ticket Granting Ticket (TGT).

 

If your KDC is a MIT kerberos, then probably a command line argument was passed by your administrator to require all clients to use pre-authentication. In this case, we can run the following command on your KDC server which will disable pre-authentication only for the impala principal, and the generate missing credentials should work.  

 

kadmin.local: modprinc -requires_preauth impala/e2e-02-cdlkc1.nokia.com@NOKIA.COM

 

If your KDC is an AD server, then your AD administrator must enable the “Do not require Kerberos pre-authentication” checkbox in the user properties of the newly created impala principal. Refer the attachment. 

 

Please let us know how this goes. 

 

 

Reference: http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Adding-or-Modifying-Principals.html

 

 

Was your question answered? Make sure to mark the answer as the accepted solution.

If you find a reply useful, say thanks by clicking on the thumbs up button.


Disable_in_AD.png

998 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements