Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Kerberos Error while adding new impala service

avatar
New Contributor

When tried add impala sevice, it recommended to generate missing credentials . when i ran generate missing principles getting below error

 

 

/usr/share/cmf/bin/gen_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ CMF_REALM=NOKIA.COM
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf1248375954852182588.keytab
+ PRINC=impala/e2e-02-cdlkc1.nokia.com@NOKIA.COM
+ MAX_RENEW_LIFE=432000
+ KADMIN='kadmin -k -t /var/run/cloudera-scm-server/cmf2325479638505058033.keytab -p root/admin@NOKIA.COM -r NOKIA.COM'
+ RENEW_ARG=
+ '[' 432000 -gt 0 ']'
+ RENEW_ARG='-maxrenewlife "432000 sec"'
+ '[' -z /etc/krb5.conf ']'
+ echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:'
+ cat /etc/krb5.conf
+ kadmin -k -t /var/run/cloudera-scm-server/cmf2325479638505058033.keytab -p root/admin@NOKIA.COM -r NOKIA.COM -q 'addprinc -maxrenewlife "432000 sec" -randkey impala/e2e-02-cdlkc1.nokia.com@NOKIA.COM'
kadmin: Preauthentication failed while initializing kadmin interface
1 REPLY 1

avatar
Expert Contributor

Hello @srinikar87 

 

The error indicates that your KDC server requires clients to pre-authenticate themselves before it can issue a Ticket Granting Ticket (TGT).

 

If your KDC is a MIT kerberos, then probably a command line argument was passed by your administrator to require all clients to use pre-authentication. In this case, we can run the following command on your KDC server which will disable pre-authentication only for the impala principal, and the generate missing credentials should work.  

 

kadmin.local: modprinc -requires_preauth impala/e2e-02-cdlkc1.nokia.com@NOKIA.COM

 

If your KDC is an AD server, then your AD administrator must enable the “Do not require Kerberos pre-authentication” checkbox in the user properties of the newly created impala principal. Refer the attachment. 

 

Please let us know how this goes. 

 

 

Reference: http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Adding-or-Modifying-Principals.html

 

 

Was your question answered? Make sure to mark the answer as the accepted solution.

If you find a reply useful, say thanks by clicking on the thumbs up button.


Disable_in_AD.png