Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Kerberos authentication error with keytab

Labels:
avatar
author-rank rrodriguez
Contributor

Created ‎11-15-2017 12:02 AM

Hello,

 

I've got a problem with the authentication of Kerberos using the Keytab, when I try to start any instance of HDFS service I keep getting the next error.

 

org.apache.hadoop.security.KerberosAuthException: Login failure for user: hdfs/<fqdn>@<REALM.COM> from keytab hdfs.keytab javax.security.auth.login.LoginException: Message stream modified (41)

I did not found any satisfactory answer for this problem, and the principals authenticates very well using that keytab file through kinit command.

 

Thank you in advance.

52,552 Views
0 Kudos
13 REPLIES 13

avatar
author-rank rrodriguez
Contributor

Created ‎11-30-2017 12:08 AM

Hi again @saranvisa,

 

I checked the logs and I saw that the error that I was getting on starting a service was caused from a certain process so I got in that directory and looked for the error on hdfs.keytab. When doing the klist -kt hdfs.keytab I got the principals list, tried to make a kinit with one of them and it worked well.

 

What I've seen is that the imported keytabs I was trying to klist were some old keytab files, modified few weeks ago, and the logs gave me the clue on which directory test the keytab files.

 

So we are at the same point, seems that krb5-workstation commands work fine, keytabs were generated right and the service keeps outputing the same error again and again.

 

Some more ideas to test?

 

Thank you

17,264 Views
0 Kudos

avatar
author-rank rrodriguez
Contributor

Created ‎12-13-2017 04:00 AM

We surpassed the error just configuring Cloudera to authenticate to a local KDC, we were using a KDC provided by WSO2, this problem got solved but not with the scenario it appeared first.

17,244 Views
0 Kudos

avatar
author-rank Zubair
New Contributor

Created ‎04-03-2019 04:41 PM

Do you wanted to check the proper Authentication is Happenning between Cluster and AD, make sure port,

15,975 Views
0 Kudos

avatar
salimhussain author-rank
Cloudera Employee

Created ‎10-12-2020 05:37 AM

When you get below error message when doing kinit using a keytab file

klist: Unsupported key table format version number while starting keytab scan

Make sure that keytab file is not of zero byte 
e.g This is Zero byte keytab file and you will get the above error when trying to do kinit with it

-rw------- 1 cloudera-scm cloudera-scm 0 Aug 30 12:15 ./32-cloudera-mgmt-SERVICEMONITOR/cmon.keytab

A good keytab file will have non-zero size e.g. 778 for the below file 

-rw------- 1 cloudera-scm cloudera-scm 778 Oct 12 05:21 ./150-cloudera-mgmt-SERVICEMONITOR/cmon.keytab

 

14,392 Views
0 Kudos
Announcements
Community Announcements
April 2025 Cloudera Customer Advisory: Cloudera’s response t...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
View More Announcements