Support Questions

rrodriguez · ‎11-15-2017

Hello,

I've got a problem with the authentication of Kerberos using the Keytab, when I try to start any instance of HDFS service I keep getting the next error.

org.apache.hadoop.security.KerberosAuthException: Login failure for user: hdfs/<fqdn>@<REALM.COM> from keytab hdfs.keytab javax.security.auth.login.LoginException: Message stream modified (41)

I did not found any satisfactory answer for this problem, and the principals authenticates very well using that keytab file through kinit command.

Thank you in advance.

ancistrus17 · ‎11-15-2017

Hi,

check that the Domain name in your krb5.conf is in uppercase:

default_realm = EXAMPLE.COM

EXAMPLE.COM = {
kdc = domaincontroller.example.com
admin_server = domaincontroller.example.com
default_domain = EXAMPLE.COM
}

.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

regards

rrodriguez · ‎11-15-2017

Yes, the realm name is in uppercase, the same as in the examples

saranvisa · ‎11-15-2017

@rrodriguez

1. Get the node has keytab. Ex: I am using the node which belongs to impala daemon.
2. Go to /var/run/cloudera-scm-agent/process and ls, it will list the process
3. cd xxxxxx-impala-IMPALAD .. ## Run ls cmd and make sure it has impala.keytab
4. klist -kt impala.keytab ## This will list all the available and valid principals
5. kinit -kt impala.keytab <copy paste the valid principal from the above step>
6. klist ## make sure kinit initiated

rrodriguez · ‎11-28-2017

Sorry for the late response.

I did that and it worked with kinit and an imported keytab

Thank you

saranvisa · ‎11-28-2017

@rrodriguez happy to know that it worked!!

rrodriguez · ‎11-28-2017

Sorry, worked the kinit command, Cloudera keeps giving the first mentioned exception.

saranvisa · ‎11-29-2017

@rrodriguez

Is it? my bad, i didn't get it... Did you get a chance to follow 'all' the steps that i've mentioned? if so, were you able to run all the steps successfully?

rrodriguez · ‎11-29-2017

@saranvisa

Yes I've done all the steps in multiple ocasions, kinit command works fine with the keytabs imported but HDFS continues writing that error in logs.

rrodriguez · ‎11-29-2017

Hello @saranvisa

I tested it again after doing a regenerate keytabs and when doing the klist -kt I got the next message.

# klist -kt hdfs.keytab
Keytab name: FILE:hdfs.keytab
klist: Unsupported key table format version number while starting keytab scan

This is not the same for other keytab files in other directories into /var/run/cloudera-scm-agent/process just for some of them.

Any idea of what's happening? Why some processes are getting empty keytab files? I don't understand.

Thank you for the help

Cloudera Community

Support Questions

Kerberos authentication error with keytab