Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Kerberos authentication error with keytab

Labels:
avatar
author-rank rrodriguez
Contributor

Created ‎11-15-2017 12:02 AM

Hello,

 

I've got a problem with the authentication of Kerberos using the Keytab, when I try to start any instance of HDFS service I keep getting the next error.

 

org.apache.hadoop.security.KerberosAuthException: Login failure for user: hdfs/<fqdn>@<REALM.COM> from keytab hdfs.keytab javax.security.auth.login.LoginException: Message stream modified (41)

I did not found any satisfactory answer for this problem, and the principals authenticates very well using that keytab file through kinit command.

 

Thank you in advance.

48,540 Views
0 Kudos
13 REPLIES 13

avatar
author-rank ancistrus17
New Contributor

Created ‎11-15-2017 05:40 AM

Hi,

 

check that the Domain name in your krb5.conf is in uppercase:

 

 

default_realm = EXAMPLE.COM

EXAMPLE.COM = {
kdc = domaincontroller.example.com
admin_server = domaincontroller.example.com
default_domain = EXAMPLE.COM
}

.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

 

regards

45,891 Views
0 Kudos

avatar
author-rank rrodriguez
Contributor

Created ‎11-15-2017 05:42 AM

Yes, the realm name is in uppercase, the same as in the examples

45,889 Views
0 Kudos

avatar
saranvisa author-rank
Champion

Created ‎11-15-2017 08:16 AM

@rrodriguez

 

1. Get the node has keytab. Ex: I am using the node which belongs to impala daemon.
2. Go to /var/run/cloudera-scm-agent/process and ls, it will list the process
3. cd xxxxxx-impala-IMPALAD .. ## Run ls cmd and make sure it has impala.keytab
4. klist -kt impala.keytab ## This will list all the available and valid principals
5. kinit -kt impala.keytab <copy paste the valid principal from the above step>
6. klist ## make sure kinit initiated

45,881 Views
0 Kudos

avatar
author-rank rrodriguez
Contributor

Created ‎11-28-2017 08:17 AM

Sorry for the late response.

 

I did that and it worked with kinit and an imported keytab

 

Thank you

45,813 Views
0 Kudos

avatar
saranvisa author-rank
Champion

Created ‎11-28-2017 11:12 AM

@rrodriguez happy to know that it worked!!

45,799 Views
0 Kudos

avatar
author-rank rrodriguez
Contributor

Created ‎11-28-2017 11:15 PM

Sorry, worked the kinit command, Cloudera keeps giving the first mentioned exception.

45,790 Views
0 Kudos

avatar
saranvisa author-rank
Champion

Created ‎11-29-2017 07:12 AM

@rrodriguez

 

Is it? my bad, i didn't get it... Did you get a chance to follow 'all' the steps that i've mentioned? if so, were you able to run all the steps successfully?

45,770 Views
0 Kudos

avatar
author-rank rrodriguez
Contributor

Created ‎11-29-2017 08:01 AM

@saranvisa

 

Yes I've done all the steps in multiple ocasions, kinit command works fine with the keytabs imported but HDFS continues writing that error in logs.

45,764 Views
0 Kudos

avatar
author-rank rrodriguez
Contributor

Created ‎11-29-2017 11:48 PM

Hello @saranvisa

 

I tested it again after doing a regenerate keytabs and when doing the klist -kt I got the next message.

 

# klist -kt hdfs.keytab
Keytab name: FILE:hdfs.keytab
klist: Unsupported key table format version number while starting keytab scan

 

This is not the same for other keytab files in other directories into /var/run/cloudera-scm-agent/process just for some of them.

 

Any idea of what's happening? Why some processes are getting empty keytab files? I don't understand.

 

Thank you for the help

45,749 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements