Created 11-15-2017 12:02 AM
Hello,
I've got a problem with the authentication of Kerberos using the Keytab, when I try to start any instance of HDFS service I keep getting the next error.
org.apache.hadoop.security.KerberosAuthException: Login failure for user: hdfs/<fqdn>@<REALM.COM> from keytab hdfs.keytab javax.security.auth.login.LoginException: Message stream modified (41)
I did not found any satisfactory answer for this problem, and the principals authenticates very well using that keytab file through kinit command.
Thank you in advance.
Created 11-15-2017 05:40 AM
Hi,
check that the Domain name in your krb5.conf is in uppercase:
default_realm = EXAMPLE.COM
EXAMPLE.COM = {
kdc = domaincontroller.example.com
admin_server = domaincontroller.example.com
default_domain = EXAMPLE.COM
}
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
regards
Created 11-15-2017 05:42 AM
Yes, the realm name is in uppercase, the same as in the examples
Created 11-15-2017 08:16 AM
1. Get the node has keytab. Ex: I am using the node which belongs to impala daemon.
2. Go to /var/run/cloudera-scm-agent/process and ls, it will list the process
3. cd xxxxxx-impala-IMPALAD .. ## Run ls cmd and make sure it has impala.keytab
4. klist -kt impala.keytab ## This will list all the available and valid principals
5. kinit -kt impala.keytab <copy paste the valid principal from the above step>
6. klist ## make sure kinit initiated
Created 11-28-2017 08:17 AM
Sorry for the late response.
I did that and it worked with kinit and an imported keytab
Thank you
Created 11-28-2017 11:12 AM
@rrodriguez happy to know that it worked!!
Created 11-28-2017 11:15 PM
Sorry, worked the kinit command, Cloudera keeps giving the first mentioned exception.
Created 11-29-2017 07:12 AM
Is it? my bad, i didn't get it... Did you get a chance to follow 'all' the steps that i've mentioned? if so, were you able to run all the steps successfully?
Created 11-29-2017 08:01 AM
Yes I've done all the steps in multiple ocasions, kinit command works fine with the keytabs imported but HDFS continues writing that error in logs.
Created 11-29-2017 11:48 PM
Hello @saranvisa
I tested it again after doing a regenerate keytabs and when doing the klist -kt I got the next message.
# klist -kt hdfs.keytab Keytab name: FILE:hdfs.keytab klist: Unsupported key table format version number while starting keytab scan
This is not the same for other keytab files in other directories into /var/run/cloudera-scm-agent/process just for some of them.
Any idea of what's happening? Why some processes are getting empty keytab files? I don't understand.
Thank you for the help