Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Kerberos Generate Credentials fails

Labels:
avatar
author-rank danielLP
Contributor

Created on ‎05-20-2015 04:03 AM - edited ‎09-16-2022 02:29 AM

Hi,

I'm trying to configure kerberos on a single user installation.

I've created the cloudera-scm/admin@MYREALM.COM and was able to kinit it manually but I keep falling at the Generate Credentials phase:

 

/usr/share/cmf/bin/gen_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin
+ CMF_REALM=MYREALM.COM
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf470480807619850998.keytab
+ PRINC=yarn/datanode003.domain.com@MYREALM.COM
+ MAX_RENEW_LIFE=604800
+ KADMIN='kadmin -k -t /var/run/cloudera-scm-server/cmf7525098316801008285.keytab -p cloudera-scm/admin@MYREALM.COM -r MYREALM.COM'
+ RENEW_ARG=
+ '[' 604800 -gt 0 ']'
+ RENEW_ARG='-maxrenewlife "604800 sec"'
+ '[' -z /var/run/cloudera-scm-server/krb58981110957643724339.conf ']'
+ echo 'Using custom config path '\''/var/run/cloudera-scm-server/krb58981110957643724339.conf'\'', contents below:'
+ cat /var/run/cloudera-scm-server/krb58981110957643724339.conf
+ kadmin -k -t /var/run/cloudera-scm-server/cmf7525098316801008285.keytab -p cloudera-scm/admin@MYREALM.COM -r MYREALM.COM -q 'addprinc -maxrenewlife "604800 sec" -randkey yarn/datanode003.domain.com@MYREALM.COM'
WARNING: no policy specified for yarn/datanode003.domain.com@MYREALM.COM; defaulting to no policy
add_principal: Operation requires ``add'' privilege while creating "yarn/datanode003.domain.com@MYREALM.COM".
+ '[' 604800 -gt 0 ']'
++ kadmin -k -t /var/run/cloudera-scm-server/cmf7525098316801008285.keytab -p cloudera-scm/admin@MYREALM.COM -r MYREALM.COM -q 'getprinc -terse yarn/datanode003.domain.com@MYREALM.COM'
++ tail -1
++ cut -f 12
get_principal: Operation requires ``get'' privilege while retrieving "yarn/datanode003.domain.com@MYREALM.COM".
+ RENEW_LIFETIME='Authenticating as principal cloudera-scm/admin@MYREALM.COM with keytab /var/run/cloudera-scm-server/cmf7525098316801008285.keytab.'
+ '[' Authenticating as principal cloudera-scm/admin@MYREALM.COM with keytab /var/run/cloudera-scm-server/cmf7525098316801008285.keytab. -eq 0 ']'
/usr/share/cmf/bin/gen_credentials.sh: line 35: [: too many arguments
+ kadmin -k -t /var/run/cloudera-scm-server/cmf7525098316801008285.keytab -p cloudera-scm/admin@MYREALM.COM -r MYREALM.COM -q 'xst -k /var/run/cloudera-scm-server/cmf470480807619850998.keytab yarn/datanode003.domain.com@MYREALM.COM'
kadmin: Operation requires ``change-password'' privilege while changing yarn/avpr-dhc003.lpdomain.com@MYREALM.COM's key
+ chmod 600 /var/run/cloudera-scm-server/cmf470480807619850998.keytab
chmod: cannot access `/var/run/cloudera-scm-server/cmf470480807619850998.keytab': No such file or directory

>>

 

Thanks,

Daniel

 

 

20,620 Views
0 Kudos
2 ACCEPTED SOLUTIONS

avatar
author-rank Grizzly author-rank
Master Collaborator

Created ‎05-23-2015 04:48 AM

 

So as you read through the error message, (the middle here being signficant) this line appears to be indicating at least part of the problem, as well as the others like it, that follow.

 

add_principal: Operation requires ``add'' privilege while creating "yarn/datanode003.domain.com@MYREALM.COM".

 

You would want to review your /var/kerberos/krb5kdc/kadmin5.acl file. Verify if the name pattern you are using for the CM administrator will properly resolve to an administrative account.

View solution in original post

20,568 Views

avatar
author-rank Kartik_Agarwal author-rank
Master Collaborator

Created on ‎01-10-2023 05:28 AM - edited ‎01-10-2023 05:30 AM

@techfriend this can be resolved after modifiying the principle.

WARNING: no policy specified for mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU; defaulting to no policy
add_principal: Principal or policy already exists while creating "mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU".
+ '[' 604800 -gt 0 ']'
++ kadmin -k -t /var/run/cloudera-scm-server/cmf5922922234613877041.keytab -p cloudera-scm/admin@HADM.RU -r HADM.RU -q 'getprinc -terse mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU'
++ tail -1
++ cut -f 12
+ RENEW_LIFETIME=0
+ '[' 0 -eq 0 ']'
+ echo 'Unable to set maxrenewlife'
+ exit 1

Login to kadmin.local shell then modify the principle using below comamnd.

kadmin.local

modprinc -maxrenewlife 90day +allow_renewable mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU

 

View solution in original post

4,230 Views
0 Kudos
7 REPLIES 7

avatar
author-rank danielLP
Contributor

Created ‎05-23-2015 02:06 AM

Anyone ?😐
20,573 Views
0 Kudos

avatar
author-rank Grizzly author-rank
Master Collaborator

Created ‎05-23-2015 04:48 AM

 

So as you read through the error message, (the middle here being signficant) this line appears to be indicating at least part of the problem, as well as the others like it, that follow.

 

add_principal: Operation requires ``add'' privilege while creating "yarn/datanode003.domain.com@MYREALM.COM".

 

You would want to review your /var/kerberos/krb5kdc/kadmin5.acl file. Verify if the name pattern you are using for the CM administrator will properly resolve to an administrative account.

20,569 Views

avatar
author-rank danielLP
Contributor

Created ‎05-25-2015 03:58 AM

Hi,
The problem was indeed the kadm5.acl file where I had a typo in the realm name.

Thank you!
20,557 Views

avatar
author-rank zhuw.bigdata
Expert Contributor

Created ‎12-05-2016 12:44 PM

There are a few files to change for realm renaming.

18,338 Views
0 Kudos

avatar
author-rank techfriend
Explorer

Created ‎09-23-2018 10:33 PM

Hi all,

when enable Kerberos on new cluster after restart the failed installation got the error message 

Generate Missing Credentials Command

/usr/share/cmf/bin/gen_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/usr/lib/mit/bin:/usr/bin:/sbin:/usr/sbin:/bin:/usr/bin
+ CMF_REALM=HADM.RU
+ KEYTAB_OUT=/var/run/cloudera-scm-server/cmf5888901524077791261.keytab
+ PRINC=mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU
+ MAX_RENEW_LIFE=604800
+ KADMIN='kadmin -k -t /var/run/cloudera-scm-server/cmf5922922234613877041.keytab -p cloudera-scm/admin@HADM.RU -r HADM.RU'
+ RENEW_ARG=
+ '[' 604800 -gt 0 ']'
+ RENEW_ARG='-maxrenewlife "604800 sec"'
+ '[' -z /etc/krb5.conf ']'
+ echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:'
+ cat /etc/krb5.conf
+ kadmin -k -t /var/run/cloudera-scm-server/cmf5922922234613877041.keytab -p cloudera-scm/admin@HADM.RU -r HADM.RU -q 'addprinc -maxrenewlife "604800 sec" -randkey mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU'
WARNING: no policy specified for mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU; defaulting to no policy
add_principal: Principal or policy already exists while creating "mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU".
+ '[' 604800 -gt 0 ']'
++ kadmin -k -t /var/run/cloudera-scm-server/cmf5922922234613877041.keytab -p cloudera-scm/admin@HADM.RU -r HADM.RU -q 'getprinc -terse mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU'
++ tail -1
++ cut -f 12
+ RENEW_LIFETIME=0
+ '[' 0 -eq 0 ']'
+ echo 'Unable to set maxrenewlife'
+ exit 1

>>
Close
 
 
Redhat 7.5 linux   Cloudera Manager 5.12.1
12,602 Views
0 Kudos

avatar
author-rank Kartik_Agarwal author-rank
Master Collaborator

Created on ‎01-10-2023 05:28 AM - edited ‎01-10-2023 05:30 AM

@techfriend this can be resolved after modifiying the principle.

WARNING: no policy specified for mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU; defaulting to no policy
add_principal: Principal or policy already exists while creating "mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU".
+ '[' 604800 -gt 0 ']'
++ kadmin -k -t /var/run/cloudera-scm-server/cmf5922922234613877041.keytab -p cloudera-scm/admin@HADM.RU -r HADM.RU -q 'getprinc -terse mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU'
++ tail -1
++ cut -f 12
+ RENEW_LIFETIME=0
+ '[' 0 -eq 0 ']'
+ echo 'Unable to set maxrenewlife'
+ exit 1

Login to kadmin.local shell then modify the principle using below comamnd.

kadmin.local

modprinc -maxrenewlife 90day +allow_renewable mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU

 

4,231 Views
0 Kudos

avatar
author-rank Kartik_Agarwal author-rank
Master Collaborator

Created ‎01-16-2023 11:44 PM

@techfriend this can be resolved after modifiying the principle.

WARNING: no policy specified for mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU; defaulting to no policy
add_principal: Principal or policy already exists while creating "mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU".
+ '[' 604800 -gt 0 ']'
++ kadmin -k -t /var/run/cloudera-scm-server/cmf5922922234613877041.keytab -p cloudera-scm/admin@HADM.RU -r HADM.RU -q 'getprinc -terse mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU'
++ tail -1
++ cut -f 12
+ RENEW_LIFETIME=0
+ '[' 0 -eq 0 ']'
+ echo 'Unable to set maxrenewlife'
+ exit 1

modprinc -maxrenewlife 90day +allow_renewable mapred/ip-172-31-46-169.us-west-2.compute.internal@HADM.RU

 

 

4,148 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements